We fixed this issue in the current CVS HEAD of OpenCms. The fix will be included in the next public release of OpenCms. Thanks for improving security of OpenCms.