CVE-2019-11819: Alkacon OpenCMS CSV Injection via New User module

May 24, 2022 (updated June 19, 2025)

Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.

References

github.com/advisories/GHSA-q693-v7qf-p4xj
github.com/alkacon/opencms-core
github.com/alkacon/opencms-core/issues/636
nvd.nist.gov/vuln/detail/CVE-2019-11819
www.openwall.com/lists/oss-security/2019/05/05/2

Code Behaviors & Features

Detect and mitigate CVE-2019-11819 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →