CVE-2019-13235

MEDIUM

Alkacon OpenCms Apollo Template 10.5.4-10.5.5 - Cross-Site Scripting in Login Form

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13235. PoCs published by Aetsu.

AI-analyzed exploit summary This exploit demonstrates two reflected XSS vulnerabilities in Alkacon OpenCMS 10.5.x. The first occurs in the search engine via the 'q' parameter, and the second is triggered by manipulating the X-Forwarded-For header in the login form.

Description

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.

Exploits (1)

exploitdb WORKING POC

by Aetsu · textwebappsmultiple

https://www.exploit-db.com/exploits/47338

View Code ZIP pw:eip

This exploit demonstrates two reflected XSS vulnerabilities in Alkacon OpenCMS 10.5.x. The first occurs in the search engine via the 'q' parameter, and the second is triggered by manipulating the X-Forwarded-For header in the login form.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Alkacon OpenCMS 10.5.x

No auth needed

Prerequisites: Access to the target OpenCMS instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch x_refsource_misc

https://github.com/alkacon/apollo-template/commits/branch_10_5_x

Exploit, Third Party Advisory x_refsource_misc

https://aetsu.github.io/OpenCms

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/154298/Alkacon-OpenCMS-10.5.x-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0353

EPSS Percentile 88.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

alkacon/opencms_apollo_template 10.5.4

alkacon/opencms_apollo_template 10.5.5

org.opencms/opencms-core 0 - 11.0.1Maven

Published Aug 27, 2019

Tracked Since Feb 18, 2026