Low severityNVD Advisory· Published Mar 25, 2008· Updated Apr 23, 2026
CVE-2008-1510
CVE-2008-1510
Description
Cross-site scripting (XSS) vulnerability in system/workplace/admin/accounts/users_list.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) searchfilter or (2) listSearchFilter parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencms:opencms-coreMaven | < 7.0.4 | 7.0.4 |
Affected products
1Patches
149c5beded65bBugfix for security issue 27986 reported by Security Focus
1 file changed · +11 −4
src/org/opencms/workplace/explorer/CmsTree.java+11 −4 modified@@ -1,7 +1,7 @@ /* * File : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/explorer/CmsTree.java,v $ - * Date : $Date: 2008/02/27 12:05:21 $ - * Version: $Revision: 1.28 $ + * Date : $Date: 2008/02/28 17:20:09 $ + * Version: $Revision: 1.29 $ * * This library is part of OpenCms - * the Open Source Content Management System @@ -48,6 +48,7 @@ import org.opencms.main.CmsLog; import org.opencms.main.OpenCms; import org.opencms.site.CmsSite; +import org.opencms.util.CmsStringUtil; import org.opencms.workplace.CmsWorkplace; import org.opencms.workplace.CmsWorkplaceSettings; @@ -73,7 +74,7 @@ * * @author Alexander Kandzior * - * @version $Revision: 1.28 $ + * @version $Revision: 1.29 $ * * @since 6.0.0 */ @@ -579,6 +580,11 @@ protected void initWorkplaceRequestValues(CmsWorkplaceSettings settings, HttpSer setProjectAware(Boolean.valueOf(request.getParameter(PARAM_PROJECTAWARE)).booleanValue()); boolean rootloaded = Boolean.valueOf(request.getParameter(PARAM_ROOTLOADED)).booleanValue(); String resource = request.getParameter(PARAM_RESOURCE); + + if (!getCms().existsResource(resource)) { + resource = null; + } + setTreeType(request.getParameter(PARAM_TYPE)); String treeSite = request.getParameter(PARAM_TREESITE); computeSiteSelector(request); @@ -593,6 +599,7 @@ protected void initWorkplaceRequestValues(CmsWorkplaceSettings settings, HttpSer String lastknown = request.getParameter(PARAM_LASTKNOWN); // both "resource" and "lastknown" must be folders + if (resource != null) { resource = CmsResource.getFolderPath(resource); } @@ -806,7 +813,7 @@ private String printError(Throwable t) { StringBuffer result = new StringBuffer(1024); result.append("/*\n"); - result.append(t.getMessage()); + result.append(CmsStringUtil.escapeHtml(t.getMessage())); result.append("\n*/\n"); result.append("function init() {\n"); result.append("}\n");
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4fg8-5hwc-wg5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-1510ghsaADVISORY
- securityreason.com/securityalert/3777nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/41390nvdWEB
- github.com/alkacon/opencms-core/commit/49c5beded65bf0232cab61b1299b85dee9ae2014ghsaWEB
- www.securityfocus.com/archive/1/489984/100/0/threadednvd
- www.securityfocus.com/bid/28411nvd
News mentions
0No linked articles in our index yet.