Cross-site Scripting Vulnerability in Zikula Application Framework

Overview :

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the ‘themename’ parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

Affected Product(s) :

Zikula 1.3.0, build #3168 and probably prior

Vulnerability Details :

CVE ID :	CVE-2011-3352
	Cross-site scripting (XSS) vulnerability in Zikula Application Framework Input passed via the “themename” parameter to “ztemp/view_compiled/Theme/theme_admin_setasdefault.php” is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a administrator’s browser session in context of affected website.

Solution :

Upgrade to Zikula 1.3.1

More information :
https://github.com/zikula/core/commit/d6e6c283f18b3dcb7e92b46a7ad63fc7c7e112e2
https://github.com/zikula/core/commit/564ab97067d5e71f0df6ab2bb1d2b0d385cc27a7

Contact us to get started

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

Description A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB)

Learn more

CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

Description A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could

Learn more

CVE-2024-50340 : SYMFONY INJECTION

Description symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the

Learn more