Vulnerability Description
Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alkacon | Opencms | <= 10.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/alkacon/opencms-core/issues/635ExploitThird Party Advisory
- https://www.openwall.com/lists/oss-security/2019/04/30/3ExploitMailing ListThird Party Advisory
- https://github.com/alkacon/opencms-core/issues/635ExploitThird Party Advisory
- https://www.openwall.com/lists/oss-security/2019/04/30/3ExploitMailing ListThird Party Advisory
FAQ
What is CVE-2019-11818?
CVE-2019-11818 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert ar...
How severe is CVE-2019-11818?
CVE-2019-11818 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11818?
Check the references section above for vendor advisories and patch information. Affected products include: Alkacon Opencms.