Cross-site Scripting Vulnerability in Zikula Application Framework

Overview :

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the ‘themename’ parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

Affected Product(s) :

Zikula 1.3.0, build #3168 and probably prior

Vulnerability Details :

CVE ID :	CVE-2011-3352
	Cross-site scripting (XSS) vulnerability in Zikula Application Framework Input passed via the “themename” parameter to “ztemp/view_compiled/Theme/theme_admin_setasdefault.php” is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a administrator’s browser session in context of affected website.

Solution :

Upgrade to Zikula 1.3.1

More information :
https://github.com/zikula/core/commit/d6e6c283f18b3dcb7e92b46a7ad63fc7c7e112e2
https://github.com/zikula/core/commit/564ab97067d5e71f0df6ab2bb1d2b0d385cc27a7

Cross-site Scripting Vulnerability in Zikula Application Framework

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-34066 : TEXERCISE UP TO 0.0.12 ON PYTHON BACKDOOR

CVE-2022-32405 : SOURCECODESTER PRISON MANAGEMENT SYSTEM 1.0 VIEW_PRISON.PHP ID SQL INJECTION

CVE-2022-20651 : CISCO ADAPTIVE SECURITY DEVICE MANAGER LOG FILE