GSA_kwCzR0hTQS02YzhjLWYydzItanZqcs4AAWDD

Low CVSS: 1.3 EPSS: 0.004% (0.59787 Percentile) EPSS:

Permalink JSON

Alkacon OpenCMS XSS via homelink, workplaceresource, mode and query parameters

Affected Packages	Affected Versions	Fixed Versions
maven:org.opencms:opencms-core	<= 9.5.1	9.5.2
127 Dependent packages 22 Dependent repositories Affected Version Ranges All affected versions 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.5.0, 8.5.1, 8.5.2, 9.0.0, 9.0.1, 9.5.0, 9.5.1 All unaffected versions 9.5.2, 9.5.3, 10.0.0, 10.0.1, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 11.0.0, 11.0.1, 11.0.2

Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms 9.5.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) homelink parameter to system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp, (2) workplaceresource parameter to system/workplace/locales/en/help/index.html, (3) path parameter to system/workplace/views/admin/admin-main.jsp, (4) mode parameter to system/workplace/views/explorer/explorer_files.jsp, or (5) query parameter in a search action to system/modules/org.opencms.workplace.help/elements/search.jsp.

References:

Identifiers

GHSA-6c8c-f2w2-jvjr

CVE-2015-2351

Risk

Severity

Low

CVSS

CVSS Score: 1.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

EPSS

EPSS Percentage: 0.004

EPSS Percentile: 0.59787

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/alkacon/opencms-core

Date and time

Published

about 3 years ago

Updated

about 1 month ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories