CVE-2019-11818
Description
Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Alkacon OpenCMS 10.5.4 and earlier has a stored XSS in the New User module, allowing arbitrary JavaScript via First Name or Last Name fields.
Vulnerability
Analysis
Alkacon OpenCMS versions 10.5.4 and prior are affected by a stored cross-site scripting (XSS) vulnerability in the New User module, specifically within /opencms/system/workplace/admin/accounts/user_new.jsp [1]. The root cause is insufficient input validation of the First Name and Last Name fields [1]. An attacker can submit arbitrary JavaScript as user input, which is then stored and executed when the affected snippet is loaded [1].
Exploitation
An authenticated attacker with access to the user administration interface can exploit this vulnerability by crafting a payload such as "TestXSS<img+src=x+onmouseover=alert(document.domain)" in the First Name or Last Name fields [4]. No special privileges beyond the ability to create or edit user accounts are required, though authentication is necessary to access the admin console [1][4]. The stored script executes in the context of the victim's browser when the affected page is rendered [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any administrator who views the modified user entry [1]. This can lead to session hijacking, phishing attacks, or unauthorized actions performed on behalf of the victim [1]. The vulnerability has a CVSS v3.1 score of 5.4 (Medium), indicating a moderate severity [1].
Mitigation
The OpenCMS project addressed this issue by improving input validation in the user management module, as shown in commit b20c293 [3]. Users are advised to upgrade to a patched version of OpenCMS [3]. No workaround is documented, but limiting access to the admin console to trusted users reduces risk [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencms:opencms-coreMaven | < 11.0.0 | 11.0.0 |
Affected products
2- Alkacon/OpenCMSdescription
Patches
1b20c293aac13Improved some validation in User Management
1 file changed · +17 −6
src/org/opencms/ui/apps/user/CmsUserEditDialog.java+17 −6 modified@@ -31,6 +31,7 @@ import org.opencms.file.CmsGroup; import org.opencms.file.CmsObject; import org.opencms.file.CmsProject; +import org.opencms.file.CmsResource; import org.opencms.file.CmsUser; import org.opencms.main.CmsException; import org.opencms.main.CmsIllegalArgumentException; @@ -469,7 +470,12 @@ public CmsUserEditDialog(CmsObject cms, final Window window, String ou, final Cm setPasswordFields(); m_ou.setValue(ou.isEmpty() ? "/" : ou); m_group.setWidgetType(WidgetType.groupwidget); - m_group.setValue(ou + OpenCms.getDefaultUsers().getGroupUsers()); + try { + CmsGroup group = m_cms.readGroup(ou + OpenCms.getDefaultUsers().getGroupUsers()); + m_group.setValue(group.getName()); + } catch (CmsException e1) { + //There is no user group -> ok, keep field empty + } m_group.setRealPrincipalsOnly(true); m_group.setOU(m_ou.getValue()); try { @@ -805,9 +811,12 @@ protected void setupStartFolder(String startFolder) { m_startfolder.setUseRootPaths(true); if (!m_visSites) { try { - m_startfolder.setValue( - OpenCms.getOrgUnitManager().getResourcesForOrganizationalUnit(cmsCopy, m_ou.getValue()).get( - 0).getRootPath()); + List<CmsResource> ouResources = OpenCms.getOrgUnitManager().getResourcesForOrganizationalUnit( + cmsCopy, + m_ou.getValue()); + if (!ouResources.isEmpty()) { + m_startfolder.setValue(ouResources.get(0).getRootPath()); + } } catch (CmsException e1) { LOG.error("unable to read resources for ou", e1); } @@ -1042,7 +1051,9 @@ private void createNewUser() throws CmsException { if (!CmsStringUtil.isEmptyOrWhitespaceOnly(m_group.getValue())) { m_cms.addUserToGroup(user.getName(), m_group.getValue()); } - OpenCms.getRoleManager().addUserToRole(m_cms, (CmsRole)m_role.getValue(), user.getName()); + if (m_role.isVisible()) { + OpenCms.getRoleManager().addUserToRole(m_cms, (CmsRole)m_role.getValue(), user.getName()); + } m_user = user; } @@ -1101,7 +1112,7 @@ private boolean hasRoleForApp(I_CmsWorkplaceAppConfiguration app) { CmsGroup group = m_cms.readGroup(m_group.getValue()); CmsRole roleFromGroup = CmsRole.valueOf(group); CmsRole roleFromField = (CmsRole)m_role.getValue(); - if (!roleFromGroup.getChildren(true).contains(roleFromField)) { + if ((roleFromGroup == null) || !roleFromGroup.getChildren(true).contains(roleFromField)) { roleFromGroup = roleFromField; } if (roleFromGroup == null) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c8j6-gqq8-4prjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11818ghsaADVISORY
- github.com/alkacon/opencms-core/commit/b20c293aac133e110a053f1e6665a9ae82cfdeb3ghsaWEB
- github.com/alkacon/opencms-core/issues/635ghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2019/04/30/3ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.