mailing list archives
CVE Request -- Zikula (v1.3.x) -- XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 08 Sep 2011 15:19:13 +0200
Hello Josh, Steve, vendors,
it was found that the Zikula web application framework did not
properly sanitize the 'themename' parameter, while setting particular
theme as a default one, modifying the theme or deleting it. A remote
attacker, with Zikula administrator privilege, could use this flaw to
execute arbitrary HTML or web script code in the context of the
Relevant upstream patch:
Vulnerable Zikula versions: Development versions prior to patch .
Not vulnerable versions: Zikula v1.2.7 (stable). Doesn't contain
code in question yet.
Provided PoC (from , ):
Could you allocate a CVE id for this?
Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- Zikula (v1.3.x) -- XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes Jan Lieskovsky (Sep 08)