Filtered by vendor Alkacon
Subscriptions
Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37602 | 1 Alkacon | 1 Opencms | 2024-11-21 | 6.1 Medium |
| An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file. | ||||
| CVE-2021-3312 | 1 Alkacon | 1 Opencms | 2024-11-21 | 6.5 Medium |
| An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document. | ||||
| CVE-2021-25968 | 1 Alkacon | 1 Opencms | 2024-11-21 | 5.4 Medium |
| In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. | ||||
| CVE-2019-13237 | 1 Alkacon | 1 Opencms Apollo Template | 2024-11-21 | 4.3 Medium |
| In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp. | ||||
| CVE-2019-13236 | 1 Alkacon | 1 Opencms | 2024-11-21 | N/A |
| In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface. | ||||
| CVE-2019-13235 | 1 Alkacon | 1 Opencms Apollo Template | 2024-11-21 | N/A |
| In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form. | ||||
| CVE-2019-13234 | 1 Alkacon | 1 Opencms Apollo Template | 2024-11-21 | N/A |
| In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine. | ||||
| CVE-2019-11819 | 1 Alkacon | 1 Opencms | 2024-11-21 | N/A |
| Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name. | ||||
| CVE-2019-11818 | 1 Alkacon | 1 Opencms | 2024-11-21 | N/A |
| Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded. | ||||
| CVE-2018-8815 | 1 Alkacon | 1 Opencms | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image. | ||||
| CVE-2018-8811 | 1 Alkacon | 1 Opencms | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows only registered users to upload different kind of content artifacts (SVG, .doc, .docx). The uploaded content is stored in the CMS content repository "as is". In case of scripts inside an SVG, this may or may not be "malicious", there is no way of knowing if the uploaded SVG contains the script for a reason. To exploit the "issue", a user must have an account in the CMS as a content manager | ||||