Low severityNVD Advisory· Published Aug 9, 2013· Updated Apr 29, 2026
CVE-2013-4600
CVE-2013-4600
Description
Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to system/login/index.html.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencms:opencms-coreMaven | < 8.5.2 | 8.5.2 |
Affected products
12cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*range: <=8.5.1
- cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:8.5:*:*:*:*:*:*:*
Patches
172a05e3ea1cfFixed some XSS problems (github issue #173)
2 files changed · +12 −1
src/org/opencms/util/CmsStringUtil.java+3 −0 modified@@ -368,6 +368,9 @@ public static String escapeJavaScript(String source) { source = CmsStringUtil.substitute(source, "\'", "\\\'"); source = CmsStringUtil.substitute(source, "\r\n", "\\n"); source = CmsStringUtil.substitute(source, "\n", "\\n"); + + // to avoid XSS (closing script tags) in embedded Javascript + source = CmsStringUtil.substitute(source, "/", "\\/"); return source; }
src/org/opencms/workplace/CmsDialog.java+9 −1 modified@@ -29,6 +29,7 @@ import org.opencms.file.CmsResource; import org.opencms.file.CmsResourceFilter; +import org.opencms.i18n.CmsEncoder; import org.opencms.i18n.CmsMessageContainer; import org.opencms.jsp.CmsJspActionElement; import org.opencms.lock.CmsLockFilter; @@ -876,7 +877,14 @@ public String dialogEnd() { */ public String dialogHead(String title) { - return "<div class=\"dialoghead\" unselectable=\"on\">" + (title == null ? "" : title) + "</div>"; + String escapedTitle; + if (title == null) { + escapedTitle = ""; + } else { + escapedTitle = CmsEncoder.escapeHtml(title); + } + + return "<div class=\"dialoghead\" unselectable=\"on\">" + escapedTitle + "</div>"; } /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- archives.neohapsis.com/archives/bugtraq/2013-07/0113.htmlnvdExploit
- www.htbridge.com/advisory/HTB23160nvdExploit
- github.com/advisories/GHSA-4gfx-p2j4-w2vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4600ghsaADVISORY
- www.opencms.org/en/news/130710-opencms-v852-releasenotes.htmlnvdWEB
- github.com/alkacon/opencms-core/commit/72a05e3ea1cf692e2efce002687272e63f98c14aghsaWEB
- github.com/alkacon/opencms-core/issues/173nvdWEB
News mentions
0No linked articles in our index yet.