Description
Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded.
Remediation
References
https://github.com/alkacon/opencms-core/issues/635
https://www.openwall.com/lists/oss-security/2019/04/30/3
Related Vulnerabilities
CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on
CVE-2019-10249 Vulnerability in maven package org.eclipse.xtext:org.eclipse.xtext.maven.parent
CVE-2020-26301 Vulnerability in npm package ssh2
CVE-2018-11698 Vulnerability in maven package org.webjars.npm:node-sass
CVE-2020-36179 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind