Overview :
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the ‘themename’ parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.
Affected Product(s) :
  • Zikula 1.3.0, build #3168 and probably prior
Vulnerability Details :
CVE ID : CVE-2011-3352
Cross-site scripting (XSS) vulnerability in Zikula Application Framework
Input passed via the “themename” parameter to “ztemp/view_compiled/Theme/theme_admin_setasdefault.php” is not properly sanitised before being returned to the user.

This can be exploited to execute arbitrary HTML and script code in a administrator’s browser session in context of affected website.

Solution :

Upgrade to Zikula 1.3.1

More information :