Description
Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded.
Remediation
References
https://github.com/alkacon/opencms-core/issues/635
https://www.openwall.com/lists/oss-security/2019/04/30/3
Related Vulnerabilities
CVE-2022-25876 Vulnerability in npm package link-preview-js
CVE-2018-11698 Vulnerability in maven package org.webjars.npm:node-sass
CVE-2019-1010266 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2022-23458 Vulnerability in maven package org.webjars.bowergithub.nhn:tui.grid
CVE-2020-7762 Vulnerability in npm package jsreport-chrome-pdf