Low severityNVD Advisory· Published Feb 27, 2008· Updated Apr 23, 2026

CVE-2008-1045

Description

Cross-site scripting (XSS) vulnerability in the file tree navigation function in system/workplace/views/explorer/tree_files.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the resource parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencms:opencms-coreMaven	< 7.0.4	7.0.4

Affected products

Alkacon/Opencms
cpe:2.3:a:alkacon:opencms:7.0.3:*:*:*:*:*:*:*

Patches

49c5beded65b

Bugfix for security issue 27986 reported by Security Focus

https://github.com/alkacon/opencms-coremEmmerichFeb 28, 2008via ghsa

commit

1 file changed · +11 −4

src/org/opencms/workplace/explorer/CmsTree.java+11 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/explorer/CmsTree.java,v $
- * Date   : $Date: 2008/02/27 12:05:21 $
- * Version: $Revision: 1.28 $
+ * Date   : $Date: 2008/02/28 17:20:09 $
+ * Version: $Revision: 1.29 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Management System
@@ -48,6 +48,7 @@
 import org.opencms.main.CmsLog;
 import org.opencms.main.OpenCms;
 import org.opencms.site.CmsSite;
+import org.opencms.util.CmsStringUtil;
 import org.opencms.workplace.CmsWorkplace;
 import org.opencms.workplace.CmsWorkplaceSettings;
 
@@ -73,7 +74,7 @@
  *
  * @author  Alexander Kandzior 
  * 
- * @version $Revision: 1.28 $ 
+ * @version $Revision: 1.29 $ 
  * 
  * @since 6.0.0 
  */
@@ -579,6 +580,11 @@ protected void initWorkplaceRequestValues(CmsWorkplaceSettings settings, HttpSer
         setProjectAware(Boolean.valueOf(request.getParameter(PARAM_PROJECTAWARE)).booleanValue());
         boolean rootloaded = Boolean.valueOf(request.getParameter(PARAM_ROOTLOADED)).booleanValue();
         String resource = request.getParameter(PARAM_RESOURCE);
+        
+        if (!getCms().existsResource(resource)) {
+            resource = null; 
+        }       
+        
         setTreeType(request.getParameter(PARAM_TYPE));
         String treeSite = request.getParameter(PARAM_TREESITE);
         computeSiteSelector(request);
@@ -593,6 +599,7 @@ protected void initWorkplaceRequestValues(CmsWorkplaceSettings settings, HttpSer
 
         String lastknown = request.getParameter(PARAM_LASTKNOWN);
         // both "resource" and "lastknown" must be folders
+                
         if (resource != null) {
             resource = CmsResource.getFolderPath(resource);
         }
@@ -806,7 +813,7 @@ private String printError(Throwable t) {
 
         StringBuffer result = new StringBuffer(1024);
         result.append("/*\n");
-        result.append(t.getMessage());
+        result.append(CmsStringUtil.escapeHtml(t.getMessage()));
         result.append("\n*/\n");
         result.append("function init() {\n");
         result.append("}\n");

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/27986nvdExploit
github.com/advisories/GHSA-v965-wwrq-gxfgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2008-1045ghsaADVISORY
securityreason.com/securityalert/3702nvdWEB
github.com/alkacon/opencms-core/commit/49c5beded65bf0232cab61b1299b85dee9ae2014ghsaWEB
secunia.com/advisories/29121nvd
www.securityfocus.com/archive/1/488708/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000