Low severityNVD Advisory· Published Jul 31, 2006· Updated Apr 16, 2026

CVE-2006-3933

Description

Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.2.2 allows remote authenticated users to inject arbitrary web script or HTML via the message body.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencms:opencms-coreMaven	< 6.2.2	6.2.2

Affected products

Alkacon/Opencms6 versions
cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*range: <=6.2.1
- cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*

Patches

e2d3754ef27e

fixed issue #1190: broadcast could send Javascript to users

https://github.com/alkacon/opencms-coreaZahnerJul 21, 2006via ghsa

commit

4 files changed · +10 −16

src-modules/org/opencms/workplace/tools/workplace/broadcast/CmsMessageInfo.java+3 −5 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/broadcast/CmsMessageInfo.java,v $
- * Date   : $Date: 2006/07/20 10:14:23 $
- * Version: $Revision: 1.10 $
+ * Date   : $Date: 2006/07/21 10:08:22 $
+ * Version: $Revision: 1.11 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -52,7 +52,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.10 $ 
+ * @version $Revision: 1.11 $ 
  * 
  * @since 6.0.0 
  */
@@ -243,8 +243,6 @@ private void checkString(String string) {
 
         if (CmsStringUtil.isEmptyOrWhitespaceOnly(string)) {
             throw new CmsIllegalArgumentException(Messages.get().container(Messages.ERR_EMPTY_STRING_0));
-        } else if (string.toLowerCase().indexOf("<script") != -1) {
-            throw new CmsIllegalArgumentException(Messages.get().container(Messages.ERR_STRING_CONTAINS_SCRIPT_0));
         }
     }

src-modules/org/opencms/workplace/tools/workplace/broadcast/Messages.java+3 −6 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/broadcast/Messages.java,v $
- * Date   : $Date: 2006/07/20 10:14:23 $
- * Version: $Revision: 1.10 $
+ * Date   : $Date: 2006/07/21 10:08:22 $
+ * Version: $Revision: 1.11 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,7 +39,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.10 $ 
+ * @version $Revision: 1.11 $ 
  * 
  * @since 6.0.0 
  */
@@ -57,9 +57,6 @@ public final class Messages extends A_CmsMessageBundle {
     /** Message contant for key in the resource bundle. */
     public static final String ERR_SEND_MESSAGE_0 = "ERR_SEND_MESSAGE_0";
 
-    /** Message contant for key in the resource bundle. */
-    public static final String ERR_STRING_CONTAINS_SCRIPT_0 = "ERR_STRING_CONTAINS_SCRIPT_0";
-
     /** Message contant for key in the resource bundle. */
     public static final String GUI_EXCLUDED_USERS_WARNING_0 = "GUI_EXCLUDED_USERS_WARNING_0";

src-modules/org/opencms/workplace/tools/workplace/broadcast/messages.properties+0 −1 modified

@@ -1,7 +1,6 @@
 ERR_SEND_EMAIL_0								=Could not redirect to the edit email page.
 ERR_SEND_MESSAGE_0								=Could not redirect to the edit message page.
 ERR_EMPTY_STRING_0                              =This string should not be empty.
-ERR_STRING_CONTAINS_SCRIPT_0                    =This string should not contain any JavaScript.
 ERR_NO_SELECTED_USER_WITH_EMAIL_0               =There is no selected user with a valid email address.
 GUI_EXCLUDED_USERS_WARNING_0                    =The following users have been filtered because they do not have an associated valid email address:

src/org/opencms/workplace/CmsWorkplace.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/CmsWorkplace.java,v $
- * Date   : $Date: 2006/07/20 10:14:23 $
- * Version: $Revision: 1.158 $
+ * Date   : $Date: 2006/07/21 10:08:22 $
+ * Version: $Revision: 1.159 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -89,7 +89,7 @@
  *
  * @author  Alexander Kandzior 
  * 
- * @version $Revision: 1.158 $ 
+ * @version $Revision: 1.159 $ 
  * 
  * @since 6.0.0 
  */
@@ -1289,7 +1289,7 @@ public String getBroadcastMessageString() {
                 result.append(' ');
                 result.append(message.getUser().getName());
                 result.append(":\n");
-                result.append(message.getMessage());
+                result.append(CmsEncoder.escapeXml(message.getMessage()));
                 result.append("\n\n");
             }
             return result.toString();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.opencms.org/export/download/opencms/opencms_6.2.2_src.zipnvdPatch
www.opencms.org/opencms/en/shownews.htmlnvdPatchWEB
o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txtnvdExploitWEB
secunia.com/advisories/21193nvdExploitPatchVendor Advisory
github.com/advisories/GHSA-gj9c-69cm-7c37ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2006-3933ghsaADVISORY
securityreason.com/securityalert/1302nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28033nvdWEB
github.com/alkacon/opencms-core/commit/e2d3754ef27e8e8e122700bdb3f59e6e15995baeghsaWEB
www.securityfocus.com/archive/1/441182/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000