Alkacon OpenCMS, Stored Cross-Site Scripting (XSS), CVE-2025-XXXX (Moderate)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works

The CVE-2025-XXXX vulnerability in Alkacon OpenCMS v17.0 arises due to insufficient input sanitization in the “author” parameter during creation/modification. Attackers can inject malicious JavaScript or HTML payloads, which are stored in the database and executed when the is rendered. This stored XSS allows unauthorized script execution in the context of the victim’s session, potentially leading to session hijacking, defacement, or data theft. The attack requires no user interaction beyond viewing the compromised .

DailyCVE Form

Platform: Alkacon OpenCMS
Version: v17.0
Vulnerability: Stored XSS
Severity: Moderate
Date: Apr 18, 2025

What Undercode Say:

Exploitation:

1. Craft Payload:

<script>alert(document.cookie)</script>

2. Inject via Author Field:

POST /opencms/create_ HTTP/1.1
author=<script>malicious_code</script>

3. Trigger Execution: Victims execute payload when viewing the .

Detection:

1. Scan for Unsanitized Inputs:

grep -r "getParameter(\"author\")" /opencms_src/

2. Test with Dummy XSS:

<img src=x onerror=alert(1)>

Mitigation:

1. Patch: Apply OpenCMS v17.0.1+ input validation.

2. Sanitize Inputs:

String safeAuthor = ESAPI.encoder().encodeForHTML(request.getParameter("author"));

3. CSP Header:

Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'

4. WAF Rules: Block `