CVE-2019-13234

MEDIUM

Alkacon OpenCms Apollo Template 10.5.4-10.5.5 - Cross-Site Scripting in Search Engine

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13234.

AI-analyzed exploit summary The exploit demonstrates two reflected XSS vulnerabilities in Alkacon OpenCMS 10.5.x. The first occurs in the search engine via the 'q' parameter, and the second is triggered by manipulating the X-Forwarded-For header in the login form.

Description

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.

Exploits (1)

exploitdb WORKING POC

webappsmultiple

https://www.exploit-db.com/exploits/47338

View Code ZIP pw:eip

The exploit demonstrates two reflected XSS vulnerabilities in Alkacon OpenCMS 10.5.x. The first occurs in the search engine via the 'q' parameter, and the second is triggered by manipulating the X-Forwarded-For header in the login form.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Alkacon OpenCMS 10.5.x

No auth needed

Prerequisites: Access to the target OpenCMS instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Patch x_refsource_misc

https://github.com/alkacon/apollo-template/commits/branch_10_5_x

Exploit, Third Party Advisory x_refsource_misc

https://aetsu.github.io/OpenCms

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/154298/Alkacon-OpenCMS-10.5.x-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0168

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

alkacon/opencms_apollo_template 10.5.4

alkacon/opencms_apollo_template 10.5.5

org.opencms/opencms-core 0 - 11.0.1Maven

Published Aug 27, 2019

Tracked Since Feb 18, 2026