Cross-site Scripting Vulnerability in Zikula Application Framework

Overview :

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the ‘themename’ parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

Affected Product(s) :

Zikula 1.3.0, build #3168 and probably prior

Vulnerability Details :

CVE ID :	CVE-2011-3352
	Cross-site scripting (XSS) vulnerability in Zikula Application Framework Input passed via the “themename” parameter to “ztemp/view_compiled/Theme/theme_admin_setasdefault.php” is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a administrator’s browser session in context of affected website.

Solution :

Upgrade to Zikula 1.3.1

More information :
https://github.com/zikula/core/commit/d6e6c283f18b3dcb7e92b46a7ad63fc7c7e112e2
https://github.com/zikula/core/commit/564ab97067d5e71f0df6ab2bb1d2b0d385cc27a7

Cross-site Scripting Vulnerability in Zikula Application Framework

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-48889 : FORTINET FORTIMANAGER UP TO 6.4.14/7.0.12/7.2.7/7.4.4/7.6.0 FGFM REQUEST OS COMMAND INJECTION

CVE-2023-34990 : FORTINET FORTIWLM UP TO 8.5.4/8.6.5 WEB REQUEST PATH TRAVERSAL

CVE-2024-47104 : IBM I 7.4/7.5 PHYSICAL FILE SECURITY ATTRIBUTES PERMISSION ASSIGNMENT