PT-2019-12506 · Alkacon · Opencms

Pramod Rana

·

Publicado

2019-05-08

·

Atualizado

2022-05-24

·

CVE-2019-11819

CVSS v3.1

7.8

Alta

VetorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Alkacon OpenCMS versions 10.5.4 and before
Description The issue concerns CSV (aka Excel Macro) Injection in the New User module, specifically through the "First Name" or "Last Name" fields in the /opencms/system/workplace/admin/accounts/user new.jsp endpoint.
Recommendations For versions 10.5.4 and before, consider restricting access to the New User module until a fix is available, and avoid using the First Name or Last Name fields in the /opencms/system/workplace/admin/accounts/user new.jsp endpoint to minimize the risk of exploitation.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1236

Identificadores relacionados

CVE-2019-11819
GHSA-Q693-V7QF-P4XJ

Produtos afetados

Opencms