CVE-2023-6379
published 2023-12-13CVE-2023-6379: Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a…
PriorityP337medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.77%
75.3th percentile
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alkacon | open_cms | — | — |
| alkacon | open_cms | — | — |
| alkacon | opencms | >= 14.0.0 < 16.0.0 | 16.0.0 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Alkacon OpenCMS XSS via Mercury template
osv·2023-12-13
CVE-2023-6379 [MEDIUM] Alkacon OpenCMS XSS via Mercury template
Alkacon OpenCMS XSS via Mercury template
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session.
GHSA
Alkacon OpenCMS XSS via Mercury template
ghsa·2023-12-13
CVE-2023-6379 [MEDIUM] CWE-79 Alkacon OpenCMS XSS via Mercury template
Alkacon OpenCMS XSS via Mercury template
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session.
No detection rules found.
Nuclei
OpenCMS 14 & 15 - Cross Site Scripting
nuclei·CVSS 6.1
CVE-2023-6379 [MEDIUM] OpenCMS 14 & 15 - Cross Site Scripting
OpenCMS 14 & 15 - Cross Site Scripting
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
Template:
id: CVE-2023-6379
info:
name: OpenCMS 14 & 15 - Cross Site Scripting
author: msegoviag
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.
impact: |
Unauthenticated attackers can inject malicious JavaScript through multiple parameters in OpenCMS Mercury template pages to steal user session cookies and execute attacks against OpenCMS users.
remediation: |
Update to version OpenCMS 16
reference:
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2023-6379
- https://nvd.nist.gov/vuln/detai
2023-12-13
Published