Vulnerabilities > Alkacon > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-05-30 CVE-2024-5520 Cross-site Scripting vulnerability in Alkacon Opencms 16.0.0
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field.
network
low complexity
alkacon CWE-79
5.4
2024-05-30 CVE-2024-5521 Cross-site Scripting vulnerability in Alkacon Opencms 16.0.0
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code.
network
low complexity
alkacon CWE-79
6.4
2023-12-13 CVE-2023-6379 Unspecified vulnerability in Alkacon Opencms 14.0.0/15.0.0
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
network
low complexity
alkacon
6.1
2023-12-13 CVE-2023-6380 Unspecified vulnerability in Alkacon Opencms 14.0.0/15.0.0
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template.
network
low complexity
alkacon
6.1
2023-07-20 CVE-2023-37602 Cross-site Scripting vulnerability in Alkacon Opencms 15.0.0
An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
network
low complexity
alkacon CWE-79
6.1
2023-05-16 CVE-2023-31544 Cross-site Scripting vulnerability in Alkacon Opencms 11.0
A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.
network
low complexity
alkacon CWE-79
5.4
2021-10-19 CVE-2021-25968 Cross-site Scripting vulnerability in Alkacon Opencms
In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality.
network
low complexity
alkacon CWE-79
5.4
2021-10-08 CVE-2021-3312 XXE vulnerability in Alkacon Opencms 11.0/11.0.1/11.0.2
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
network
low complexity
alkacon CWE-611
6.5
2019-08-27 CVE-2019-13237 Path Traversal vulnerability in Alkacon Opencms Apollo Template 10.5.4/10.5.5
In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.
network
low complexity
alkacon CWE-22
4.3
2019-08-27 CVE-2019-13236 Cross-site Scripting vulnerability in Alkacon Opencms 10.5.4/10.5.5
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.
network
low complexity
alkacon CWE-79
6.1