CVE-2019-11818: Alkacon OpenCMS XSS via New User module

May 24, 2022 (updated June 20, 2025)

Alkacon OpenCMS v10.5.4 and before is affected by stored cross site scripting (XSS) in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp). This allows an attacker to insert arbitrary JavaScript as user input (First Name or Last Name), which will be executed whenever the affected snippet is loaded.

References

github.com/advisories/GHSA-c8j6-gqq8-4prj
github.com/alkacon/opencms-core
github.com/alkacon/opencms-core/commit/b20c293aac133e110a053f1e6665a9ae82cfdeb3
github.com/alkacon/opencms-core/issues/635
nvd.nist.gov/vuln/detail/CVE-2019-11818
www.openwall.com/lists/oss-security/2019/04/30/3

Code Behaviors & Features

Detect and mitigate CVE-2019-11818 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →