Rehanah

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCms versions 9.5.1 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters, including the `homelink` parameter to "system/modules/org.opencms.workplace.help/jsptemplates/help head.jsp", the `workplaceresource` parameter to "system/workplace/locales/en/help/index.html", the `path` parameter to "system/workplace/views/admin/admin-main.jsp", the `mode` parameter to "system/workplace/views/explorer/explorer files.jsp", or the `query` parameter in a search action to "system/modules/org.opencms.workplace.help/elements/search.jsp". **Recommendations** For Alkacon OpenCms versions 9.5.1 and earlier, update to a version later than 9.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the specified API endpoints and parameters, such as `homelink`, `workplaceresource`, `path`, `mode`, and `query`, until a patch is available.