PT-2019-12506 · Alkacon · Opencms

Pramod Rana

Published

2019-05-08

Updated

2022-05-24

CVE-2019-11819

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Alkacon OpenCMS versions 10.5.4 and before

Description The issue concerns CSV (aka Excel Macro) Injection in the New User module, specifically through the "First Name" or "Last Name" fields in the /opencms/system/workplace/admin/accounts/user new.jsp endpoint.

Recommendations For versions 10.5.4 and before, consider restricting access to the New User module until a fix is available, and avoid using the First Name or Last Name fields in the /opencms/system/workplace/admin/accounts/user new.jsp endpoint to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2019-11819

GHSA-Q693-V7QF-P4XJ

Affected Products

Opencms

PT-2019-12506 · Alkacon · Opencms

CVE-2019-11819

Weakness Enumeration

Related Identifiers

Affected Products

References · 6