CVE-2015-2351

Name of the Vulnerable Software and Affected Versions Alkacon OpenCms versions 9.5.1 and earlier

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters, including the homelink parameter to "system/modules/org.opencms.workplace.help/jsptemplates/help head.jsp", the workplaceresource parameter to "system/workplace/locales/en/help/index.html", the path parameter to "system/workplace/views/admin/admin-main.jsp", the mode parameter to "system/workplace/views/explorer/explorer files.jsp", or the query parameter in a search action to "system/modules/org.opencms.workplace.help/elements/search.jsp".

Recommendations For Alkacon OpenCms versions 9.5.1 and earlier, update to a version later than 9.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the specified API endpoints and parameters, such as homelink, workplaceresource, path, mode, and query, until a patch is available.