Application: OpenCms Version: 7.5.0 Hardware: Tomcat/Oracle Vulnerability: Cross-Site Scripting, Phishing Through Frames, Application Error Overview: Various URL's within the deployed OpenCms application version 7.5.0 are open to attacks, including Cross-Site Scripting, Phishing Through Frames and Application Error. Some of these attacks allow injection of scripts into a parameter in the request. The application should filter out such hazardous characters from user input. Example follows: Vulnerable URL (from the OpenCms VFS): /opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/ help_head.jsp?&homelink=>"'> Results: Insertion of the script into the homelink parameter successfully embeds the script in the response and is executed once the page is loaded into the user's browser (i.e. vulnerable to Cross-Site Scripting) Below find the complete list of vulnerable URL's (all paths are relative to the OpenCms VFS). All issues are of High risk. /opencms/opencms/system/modules/org.opencms.workplace.help/elements/sear ch.jsp Remediation: Filter out hazardous characters from user input Parameter(s): query Vulnerability(s): Cross-Site Scripting /opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/ help_head.jsp Remediation: Filter out hazardous characters from user input Parameter(s): homelink Vulnerability(s): Cross-Site Scripting, Phishing Through Frames /opencms/opencms/system/workplace/commons/preferences.jsp Remediation: Verify that parameter values are in their expected ranges and types. Do not output debugging error messages and exceptions Parameter(s): tabdicopyfilemode, tabdicopyfoldermode, tabdideletefilemode Vulnerability(s): Application Error /opencms/opencms/system/workplace/commons/property.jsp Remediation: Filter out hazardous characters from user input Parameter: resource Vulnerability(s): Cross-Site Scripting /opencms/opencms/system/workplace/commons/publishproject.jsp Remediation: Filter out hazardous characters from user input Parameter(s): title, cancel, dialogtype, framename, progresskey, projected, projectname, publishsiblings, relatedresources, subresources Vulnerability(s): Cross-Site Scripting, Phishing Through Frames, SQL Injection /opencms/opencms/system/workplace/commons/publishresource.jsp Remediation: Filter out hazardous characters from user input Parameter(s): Vulnerability(s): Cross-Site Scripting /opencms/opencms/system/workplace/commons/unlock.jsp Remediation: Filter out hazardous characters from user input Parameter(s): title Vulnerability(s): Cross-Site Scripting, Phishing Through Frames /opencms/opencms/system/workplace/editors/editor.jsp Remediation: Filter out hazardous characters from user input Parameter(s): resource Vulnerability(s): Cross-Site Scripting /opencms/opencms/system/workplace/editors/dialogs/elements.jsp Remediation: Filter out hazardous characters from user input Parameter(s): elementlanguage, resource, title Vulnerability(s): Cross-Site Scripting, Phishing Through Frames /opencms/opencms/system/workplace/locales/en/help/index.html Remediation: Filter out hazardous characters from user input Parameter(s): workplaceresource Vulnerability(s): Phishing Through Frames /opencms/opencms/system/workplace/views/admin/admin-main.jsp Remediation: Filter out hazardous characters from user input Parameter(s): path Vulnerability(s): Cross-Site Scripting /opencms/opencms/system/workplace/views/explorer/contextmenu.jsp Remediation: Filter out hazardous characters from user input Parameter(s): acttarget Vulnerability(s): Cross-Site Scripting, Phishing Through Frames /opencms/opencms/system/workplace/views/explorer/explorer_files.jsp Remediation: Filter out hazardous characters from user input Parameter(s): mode Vulnerability(s): Cross-Site Scripting Katie French CGI Federal 12601 Fair Lakes Circle Fairfax,VA 22033 FFX: (703) 227-5642 RRB: (202) 564-0475