GHSA-c8j6-gqq8-4prj

Source

https://github.com/advisories/GHSA-c8j6-gqq8-4prj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c8j6-gqq8-4prj/GHSA-c8j6-gqq8-4prj.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-c8j6-gqq8-4prj

Aliases

CVE-2019-11818

Published

2022-05-24T21:59:46Z

Modified

2025-06-20T16:44:25.077789Z

Severity

1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U CVSS Calculator

Summary

Alkacon OpenCMS XSS via New User module

Details

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-06-20T16:05:34Z",
    "nvd_published_at": "2019-05-08T16:29:00Z",
    "github_reviewed": true,
    "severity": "LOW"
}

References

Affected packages

Maven / org.opencms:opencms-core

Package

Name: org.opencms:opencms-core; View open source insights on deps.dev
Purl: pkg:maven/org.opencms/opencms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.0.0

Affected versions

8.*

8.0.1

8.0.2

8.0.3

8.0.3-rev

8.0.3.1

8.0.4

8.5.0

8.5.1

8.5.2

9.*

9.0.0

9.0.1

9.5.0

9.5.1

9.5.2

9.5.3

10.*

10.0.0

10.0.1

10.5.0

10.5.1

10.5.2

10.5.3

10.5.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c8j6-gqq8-4prj/GHSA-c8j6-gqq8-4prj.json"

last_known_affected_version_range

"<= 10.5.4"