Listen to this Post
The CVE-2025-1234 vulnerability in Alkacon OpenCMS v17.0 is a stored XSS flaw in the creation/modification function. Attackers can inject malicious JavaScript or HTML payloads through the image parameter field. When an administrator or user views the compromised , the payload executes in their browser session, potentially leading to session hijacking, defacement, or malware distribution. The attack persists because the input is not properly sanitized before being stored in the database and rendered on the frontend.
DailyCVE Form:
Platform: OpenCMS
Version: 17.0
Vulnerability: Stored XSS
Severity: Moderate
Date: 2025-04-21
What Undercode Say:
Exploitation:
1. Craft malicious payload:
<img src=x onerror=alert(document.cookie)>
2. Inject via image parameter during creation.
3. Payload triggers when victim views .
Detection:
Check for unsanitized inputs in:
String imageParam = request.getParameter("image");
Mitigation:
1. Apply input filtering:
import org.apache.commons.text.StringEscapeUtils; String safeImage = StringEscapeUtils.escapeHtml4(imageParam);
2. Enable CSP headers:
add_header Content-Security-Policy "default-src 'self'";
Analytics:
- Attack complexity: Low
- Privileges required: User
- Impact: Session compromise
Commands:
1. Scan for vulnerability:
nuclei -t xss -u https://opencms-instance/s
2. Test payload:
POST /create- HTTP/1.1 image=<script>alert(1)</script>
Patch:
Update to OpenCMS 17.0.1 or apply:
- String image = request.getParameter("image");
+ String image = sanitize(request.getParameter("image"));
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1234
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
