Low severityNVD Advisory· Published Dec 16, 2005· Updated Apr 16, 2026

CVE-2005-4294

Description

Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.0.3 allows remote attackers to inject arbitrary web script or HTML via the username in the login page.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencms:opencms-coreMaven	< 6.0.3	6.0.3

Affected products

Alkacon/Opencms2 versions
cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*range: <=6.0.2
- cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*

Patches

148f2126f61b

* Fixed potential security issues in login dialog with username not being escaped

https://github.com/alkacon/opencms-coreaKandziorNov 10, 2005via ghsa

commit

2 files changed · +7 −6

history.txt+3 −2 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/history.txt,v $
- * Date   : $Date: 2005/11/09 10:37:04 $
- * Version: $Revision: 1.704 $
+ * Date   : $Date: 2005/11/10 07:31:21 $
+ * Version: $Revision: 1.705 $
  *
  * This file is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -24,6 +24,7 @@ OpenCms 6.0.3 - xxxxxxxxx, 2005
 * Improved error handling in XML page loader for locale selection process
 * Added fix for error handler in localized Xerces versions
 * Fixed issue #982: If tomcat path has spaces, the log file is not set
+* Fixed potential security issues in login dialog with username not being escaped
 
 OpenCms 6.0.2 - October 13, 2005
 * Fixed issue #615: Uploading modules with new (unknown) resource type classes

src/org/opencms/workplace/CmsLogin.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/CmsLogin.java,v $
- * Date   : $Date: 2005/10/10 16:11:03 $
- * Version: $Revision: 1.21 $
+ * Date   : $Date: 2005/11/10 07:31:21 $
+ * Version: $Revision: 1.22 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -63,7 +63,7 @@
  *
  * @author Alexander Kandzior 
  * 
- * @version $Revision: 1.21 $ 
+ * @version $Revision: 1.22 $ 
  * 
  * @since 6.0.0 
  */
@@ -557,7 +557,7 @@ protected String displayLoginForm() {
             html.append("<input style=\"width: 100%\" type=\"text\"");
             appendId(html, PARAM_USERNAME);
             html.append("value=\"");
-            html.append(CmsStringUtil.isEmpty(m_username) ? "" : m_username);
+            html.append(CmsStringUtil.isEmpty(m_username) ? "" : CmsEncoder.escapeXml(m_username));
             html.append("\">");
         } else if (m_action == ACTION_LOGIN) {
             // append name of user that has been logged in

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/18046nvdPatchVendor Advisory
www.opencms.org/opencms/en/download/opencms.htmlnvdPatchWEB
github.com/advisories/GHSA-g4fc-j79q-gjrhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2005-4294ghsaADVISORY
www.scip.ch/cgi-bin/smss/showadvf.plnvdWEB
github.com/alkacon/opencms-core/commit/148f2126f61bf5fa3d9f8c669889ccab3b9dceacghsaWEB
archives.neohapsis.com/archives/fulldisclosure/2005-12/0640.htmlnvd
securitytracker.com/idnvd
www.securityfocus.com/bid/15882nvd
www.vupen.com/english/advisories/2005/2923nvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000