Latest Security News about zikula 1 3 0

TemaTres 3.0 has reflected XSS vuln

Overview : TemaTres 3.0 has reflected XSS via the replace_string or search_string parameter to the vocab/admin.php?doAdmin=bulkReplace URI. Affected Product(s) : TemaTres 3.0 Vulnerability Details : CVE ID : CVE-2019-14344 The parameters “replace_string” and “search_string” POST request (XSS reflected) Solution : Upgrade to TemaTres 3.1 More information : https://github.com/zikula/core/commit/d6e6c283f18b3dcb7e92b46a7ad63fc7c7e112e2

Cross-site Scripting Vulnerability in Zikula Application Framework

Overview : Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the ‘themename’ parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website. Affected Product(s) […]