CVE-2018-8811

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-8811
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8811.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-8811
Published
2018-03-20T07:29:00.243Z
Modified
2026-04-10T04:08:26.758218Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows only registered users to upload different kind of content artifacts (SVG, .doc, .docx). The uploaded content is stored in the CMS content repository "as is". In case of scripts inside an SVG, this may or may not be "malicious", there is no way of knowing if the uploaded SVG contains the script for a reason. To exploit the "issue", a user must have an account in the CMS as a content manager

References

Affected packages

Git / github.com/alkacon/opencms-core

Affected ranges

Type
GIT
Repo
https://github.com/alkacon/opencms-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d5e099d25ca03aebc3df995016f9ebcf40e35df8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.5.3"
        }
    ]
}

Affected versions

Other
build_10_0_0
build_10_0_0_alpha_1
build_10_0_0_alpha_1u
build_10_0_0_alpha_2
build_10_0_0_beta
build_10_0_0_beta3
build_10_0_0_beta4
build_10_0_0_beta_2
build_10_5_0
build_10_5_0_1
build_10_5_0_2
build_10_5_0_3
build_10_5_0_5
build_10_5_0_beta
build_10_5_1
build_10_5_2
build_10_5_3
build_10_5_x_cmsdays
build_4_7_10
build_4_7_11
build_4_7_12
build_4_7_13
build_4_7_14
build_4_7_6
build_4_7_8
build_4_7_9
build_5_0_0
build_5_0_0_beta_1
build_5_0_0_beta_2
build_5_0_0_rc_1
build_5_0_0_rc_2
build_5_1_0
build_5_1_1
build_5_1_10
build_5_1_11
build_5_1_12
build_5_1_3
build_5_1_4
build_5_1_5
build_5_1_6
build_5_1_7
build_5_1_8
build_5_1_9
build_5_3_1
build_5_3_3
build_5_3_4
build_5_3_5
build_5_3_6
build_5_5_1
build_5_5_2
build_5_5_3
build_5_5_4
build_5_7_1
build_5_7_2
build_5_7_3
build_5_9_1
build_5_9_2
build_6_0_0
build_6_0_1
build_6_0_2
build_6_0_3
build_6_0_4
build_6_0_5
build_6_1_13
build_6_2_0
build_6_2_1
build_6_2_2
build_6_2_3
build_7_0_0
build_7_0_1
build_7_0_2
build_7_0_4
build_7_3_0
build_7_5_0_beta_1
build_7_9_2
build_8_0_0
build_8_0_1
build_8_0_2
build_8_0_2_1
build_8_0_3
build_8_5_0
build_8_5_1
build_8_7_0
build_8_9_0
build_9_0_0
build_9_0_0_1
build_9_5_0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8811.json"