CVE-2024-5520
published 2024-05-30CVE-2024-5520: Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.29%
20.2th percentile
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alkacon | opencms | — | — |
| alkacon | opencms | — | — |
| gpac | gpac | >= 0 < 0.5.0+svn4288~dfsg1-4ubuntu1+esm2 | 0.5.0+svn4288~dfsg1-4ubuntu1+esm2 |
| gpac | gpac | >= 0 < 0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1+esm2 | 0.5.2-426-gc5ad4e4+dfsg5-1ubuntu0.1+esm2 |
| gpac | gpac | >= 0 < 0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1+esm1 | 0.5.2-426-gc5ad4e4+dfsg5-3ubuntu0.1+esm1 |
| gpac | gpac | >= 0 < 0.5.2-426-gc5ad4e4+dfsg5-5ubuntu0.1~esm2 | 0.5.2-426-gc5ad4e4+dfsg5-5ubuntu0.1~esm2 |
| gpac | gpac | >= 0 < 2.0.0+dfsg1-2ubuntu0.1~esm2 | 2.0.0+dfsg1-2ubuntu0.1~esm2 |
| gpac | gpac | >= 0 < 2.2.1+dfsg1-3.1ubuntu0.1~esm2 | 2.2.1+dfsg1-3.1ubuntu0.1~esm2 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
gpac vulnerabilities
osv·2025-03-04·CVSS 7.7
CVE-2023-5520 gpac vulnerabilities
gpac vulnerabilities
It was discovered that the GPAC MP4Box utility incorrectly handled certain
AC3 files, which could lead to an out-of-bounds read. A remote attacker
could use this issue to cause MP4Box to crash, resulting in a denial of
service (system crash). This issue only affected Ubuntu 22.04 LTS and
Ubuntu 24.04 LTS. (CVE-2023-5520, CVE-2024-0322)
It was discovered that the GPAC MP4Box utility incorrectly handled certain
malformed text files. If a user or automated system using MP4Box were
tricked into opening a specially crafted RST file, an attacker could use
this issue to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2024-0321)
GHSA
OpenCMS Cross-Site Scripting vulnerability
ghsa·2024-05-30
CVE-2024-5520 [MEDIUM] CWE-79 OpenCMS Cross-Site Scripting vulnerability
OpenCMS Cross-Site Scripting vulnerability
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user:
with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the `title` field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.
OSV
OpenCMS Cross-Site Scripting vulnerability
osv·2024-05-30
CVE-2024-5520 [MEDIUM] OpenCMS Cross-Site Scripting vulnerability
OpenCMS Cross-Site Scripting vulnerability
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user:
with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the `title` field. Another could having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.
Suricata
GPL WEB_SERVER perl post attempt
suricata·2010-09-23
CVE-2002-1436 GPL WEB_SERVER perl post attempt
GPL WEB_SERVER perl post attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER perl post attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:2101979; rev:8; metadata:created_at 2010_09_23, cve CVE_2002_1436, signature_severity Unknown, updated_at 2024_03_08;)
No public exploits indexed.
No writeups or analysis indexed.
2024-05-30
Published