CVE-2019-13236

Vulnerability

Overview

In Alkacon OpenCms versions 10.5.4 and 10.5.5, the management interface located in system/workplace/ is affected by multiple cross-site scripting (XSS) vulnerabilities. Both reflected and stored XSS issues exist, allowing attackers to inject arbitrary web scripts or HTML via the affected parameters or input fields. The root cause is insufficient sanitization of user-supplied input before it is rendered in the browser [1][2].

Exploitation

Details

To exploit these vulnerabilities, an attacker must be authenticated and have access to the management interface. For reflected XSS, a crafted URL can be sent to a victim who is logged into the OpenCms workplace, causing the malicious script to execute in their session. For stored XSS, an attacker can inject persistent payloads that are stored on the server and later executed when other administrators view the affected pages [1][2].

Impact

Successful exploitation of these XSS vulnerabilities could allow an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or the execution of administrative actions on behalf of the victim. Given the management interface's access to sensitive content management functions, the impact is considered moderate to high, depending on the privileges of the victim [1][2].

Mitigation

Status

Patches have been released via commits in the alkacon/opencms-core repository on the branch_10_5_x branch [3]. Users should update to a patched version to remediate the vulnerability. No evidence of active exploitation in the wild has been reported as of the publication date [2].