CVE-2019-11818

Name of the Vulnerable Software and Affected Versions Alkacon OpenCMS versions 10.5.4 and before

Description The issue concerns stored cross-site scripting (XSS) in the New User module, specifically at the "/opencms/system/workplace/admin/accounts/user new.jsp" endpoint. An attacker can insert arbitrary JavaScript as user input, such as in the First Name or Last Name fields, which will be executed whenever the affected snippet is loaded.

Recommendations For versions 10.5.4 and before, consider disabling the New User module until a patch is available to prevent exploitation of the stored XSS issue. Restrict access to the "/opencms/system/workplace/admin/accounts/user new.jsp" endpoint to minimize the risk of arbitrary JavaScript execution. Avoid using the First Name and Last Name fields in the New User module until the issue is resolved.