Pramod Rana

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCMS versions 10.5.4 and before **Description** The issue concerns stored cross-site scripting (XSS) in the New User module, specifically at the "/opencms/system/workplace/admin/accounts/user new.jsp" endpoint. An attacker can insert arbitrary JavaScript as user input, such as in the `First Name` or `Last Name` fields, which will be executed whenever the affected snippet is loaded. **Recommendations** For versions 10.5.4 and before, consider disabling the New User module until a patch is available to prevent exploitation of the stored XSS issue. Restrict access to the "/opencms/system/workplace/admin/accounts/user new.jsp" endpoint to minimize the risk of arbitrary JavaScript execution. Avoid using the `First Name` and `Last Name` fields in the New User module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCMS versions 10.5.4 and before **Description** The issue concerns CSV (aka Excel Macro) Injection in the New User module, specifically through the "First Name" or "Last Name" fields in the /opencms/system/workplace/admin/accounts/user new.jsp endpoint. **Recommendations** For versions 10.5.4 and before, consider restricting access to the New User module until a fix is available, and avoid using the `First Name` or `Last Name` fields in the /opencms/system/workplace/admin/accounts/user new.jsp endpoint to minimize the risk of exploitation.