HTB23160: OpenCms XSS vulnerabilities

About one month ago High-Tech Bridge Security Research Lab was discovered two cross-site scripting /XSS/ vulnerabilities in OpenCMS version 8.5.1 and they was disclosed this days as "Multiple Cross-Site Scripting (XSS) in OpenCms: CVE-2013-4600".

Descriptions of vulnerabilities:

• Exists due to insufficient sanitisation of user-supplied data in "title" HTTP GET parameter passed to "opencms/opencms/system/workplace/views/admin/admin-main.jsp" script.

• Exists due to insufficient sanitisation of user-supplied data in "requestedResource" HTTP POST parameter passed to "opencms/opencms/system/login/index.html" URL.

This issues are fixed now and solution is available: upgrade to OpenCms 8.5.2.