GCVE - cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*

part: a version: 6.0.0 update: *

Vendor	Alkacon (`3bbcd211-d08b-568f-b8a5-0c270556c43d`)
Product	Opencms (`443c1ba7-ecf6-55d1-8f09-8482e1caa421`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/alkacon/opencms-core`	purl2cpe	2026-06-01 10:16:11.142650
`pkg:maven/org.opencms/opencms-core`	purl2cpe	2026-06-01 10:16:11.142652

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2013-4600`	vulnerable	2026-06-08 05:04:48.681994	Details available Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to system/login/index.html. Published: 2013-08-09T21:00:00.000Z Updated: 2024-09-16T16:42:52.265Z Open on db.gcve.eu Reference links http://archives.neohapsis.com/archives/bugtraq/2013-07/0113.html https://github.com/alkacon/opencms-core/issues/173 http://www.opencms.org/en/news/130710-opencms-v852-releasenotes.html https://www.htbridge.com/advisory/HTB23160	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-3936`	vulnerable	2026-06-08 04:49:10.553720	Details available system/workplace/editors/editor.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to read the source code of arbitrary JSP files by specifying the file in the resource parameter, as demonstrated using index.jsp. Published: 2006-07-31T22:00:00.000Z Updated: 2024-08-07T18:48:39.404Z Open on db.gcve.eu Reference links http://secunia.com/advisories/21193 https://exchange.xforce.ibmcloud.com/vulnerabilities/28001 http://www.opencms.org/opencms/en/shownews.html?id=1002 http://securityreason.com/securityalert/1302 http://www.securityfocus.com/archive/1/441182/100/0/threaded	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-3935`	vulnerable	2026-06-08 04:49:10.550300	Details available system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp. Published: 2006-07-31T22:00:00.000Z Updated: 2024-08-07T18:48:39.419Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/28026 http://secunia.com/advisories/21193 http://www.opencms.org/opencms/en/shownews.html?id=1002 http://securityreason.com/securityalert/1302 http://www.securityfocus.com/archive/1/441182/100/0/threaded	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-3934`	vulnerable	2026-06-08 04:49:10.549508	Details available Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter. Published: 2006-07-31T22:00:00.000Z Updated: 2024-08-07T18:48:39.330Z Open on db.gcve.eu Reference links http://secunia.com/advisories/21193 http://www.opencms.org/opencms/en/shownews.html?id=1002 http://securityreason.com/securityalert/1302 http://www.securityfocus.com/archive/1/441182/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/28000	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-3933`	vulnerable	2026-06-08 04:49:10.546743	Details available Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.2.2 allows remote authenticated users to inject arbitrary web script or HTML via the message body. Published: 2006-07-31T22:00:00.000Z Updated: 2024-08-07T18:48:39.325Z Open on db.gcve.eu Reference links http://secunia.com/advisories/21193 http://www.opencms.org/opencms/en/shownews.html?id=1002 http://securityreason.com/securityalert/1302 http://www.securityfocus.com/archive/1/441182/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/28033	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2006-2571`	vulnerable	2026-06-08 04:49:07.087991	Details available Cross-site scripting (XSS) vulnerability in search.html in Alkacon OpenCms 6.0.0, 6.0.2, and 6.0.3 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search action. Published: 2006-05-24T23:00:00.000Z Updated: 2024-08-07T17:58:51.421Z Open on db.gcve.eu Reference links http://www.osvdb.org/25710 http://www.eazel.es/media/advisory002-OpenCms-Xml-Content-Demo-search-engine-Cross-site-scripting.html http://securitytracker.com/id?1016158 http://www.vupen.com/english/advisories/2006/1931 http://secunia.com/advisories/20251	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2005-4294`	vulnerable	2026-06-08 04:48:43.548494	Details available Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.0.3 allows remote attackers to inject arbitrary web script or HTML via the username in the login page. Published: 2005-12-16T11:00:00.000Z Updated: 2024-08-07T23:38:51.632Z Open on db.gcve.eu Reference links http://secunia.com/advisories/18046 http://www.vupen.com/english/advisories/2005/2923 http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1910 http://www.securityfocus.com/bid/15882 http://www.opencms.org/opencms/en/download/opencms.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.