Zikula Application Framework Security Vulnerabilities and Issues — Zikula Application Framework CVE List

Lucene search

ZikulaZikula Application Framework

11 matches found

CVE•added 2010/05/06 2:53 p.m.•70 views

CVE-2010-1724

Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage....

4.3CVSS5.7AI score0.02874EPSS

CVE•added 2019/11/19 11:15 p.m.•65 views

CVE-2011-3352

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context...

4.8CVSS5.4AI score0.00302EPSS

CVE•added 2011/10/04 10:55 a.m.•44 views

CVE-2011-3979

Cross-site scripting (XSS) vulnerability in ztemp/view_compiled/Theme/theme_admin_setasdefault.php in the theme module in Zikula Application Framework 1.3.0 build 3168, 1.2.7, and probably other versions allows remote attackers to inject arbitrary web script or HTML via the themename parameter in t...

4.3CVSS5.8AI score0.14741EPSS

CVE•added 2011/02/08 10:0 p.m.•43 views

CVE-2010-4728

Zikula before 1.3.1 uses the rand and srand PHP functions for random number generation, which makes it easier for remote attackers to defeat protection mechanisms based on randomization by predicting a return value, as demonstrated by the authid protection mechanism.

5CVSS6.9AI score0.00345EPSS

CVE•added 2011/02/08 10:0 p.m.•41 views

CVE-2011-0535

Cross-site request forgery (CSRF) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to hijack the authentication of administrators for requests that change account privileges via an edit access_permissions action to index.php.

6.8CVSS7.2AI score0.00464EPSS

CVE•added 2010/05/06 12:47 p.m.•38 views

CVE-2010-1732

Cross-site request forgery (CSRF) vulnerability in the users module in Zikula Application Framework before 1.2.3 allows remote attackers to hijack the authentication of administrators for requests that change the administrator email address (updateemail action).

6.8CVSS6.9AI score0.00109EPSS

CVE•added 2013/11/14 8:55 p.m.•38 views

CVE-2013-6168

Cross-site scripting (XSS) vulnerability in Zikula Application Framework before 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the returnpage parameter to index.php.

4.3CVSS5.7AI score0.0034EPSS

CVE•added 2018/03/26 6:29 p.m.•38 views

CVE-2014-2293

Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) ...

9.8CVSS9.7AI score0.16849EPSS

CVE•added 2011/02/08 10:0 p.m.•37 views

CVE-2011-0911

Cross-site scripting (XSS) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: it is possible that this overlaps CVE-2011-0535.

4.3CVSS5.7AI score0.00464EPSS

CVE•added 2011/02/08 10:0 p.m.•34 views

CVE-2010-4729

Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissi...

6.8CVSS7.2AI score0.00182EPSS

CVE•added 2016/12/05 8:59 a.m.•29 views

CVE-2016-9835

Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.

9.8CVSS9.5AI score0.03905EPSS