10 matches found
CVE-2010-1724
CVE-2010-1724 affects Zikula Application Framework (v1.2.2 and possibly earlier). The vulnerability is XSS in the index.php handling of func and lang parameters via ZLanguage.php, enabling remote injection of arbitrary script/HTML. OpenVAS entries corroborate multiple XSS/CSRF issues for Zikula. ...
CVE-2011-0535
CVE-2011-0535 affects Zikula’s Users module prior to version 1.2.5. The vulnerability is a CSRF flaw that lets an attacker hijack administrator sessions and perform privilege changes via an edit_access_permissions action to index.php. Root cause: CSRF in the Users module. Impact per source: unaut...
CVE-2010-4728
The CVE affects Zikula
CVE-2010-1732
Zikula Application Framework up to version 1.2.3 has a CSRF vulnerability in the users module (updateemail action) that could allow an attacker to hijack an administrator’s email address. The flaw is addressed in the 1.2.3 release, which upstream fixed two security issues (XSS and CSRF) and remov...
CVE-2011-3979
Vulnerability: Zikula Application Framework (theme module) has an XSS in ztemp/view_compiled/Theme/theme_admin_setasdefault.php. Affected versions include 1.3.0 build 3168 and 1.2.7 (likely others). Impact: remote attackers can inject arbitrary HTML/Script via the themename parameter in the setos...
CVE-2011-0911
CVE-2011-0911 (NVD entry) : Affected product is Zikula CMS, specifically the Users module, prior to version 1.2.5. It is described as a Cross-site Scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The root cause is not detai...
CVE-2013-6168
CVE-2013-6168 affects Zikula Application Framework (pre-1.3.6). The vulnerability arises from insufficient sanitisation of the returnpage parameter in index.php, enabling cross-site scripting (XSS) via crafted links. The HTB advisory HTB23178 documents exploitation and confirms the fixed vendor p...
CVE-2014-2293
CVE-2014-2293 affects Zikula Application Framework prior to 1.3.7 build 11. The vulnerability arises from PHP object injection via crafted serialized data in index.php parameters: authentication_method_ser, authentication_info_ser, or zikulaMobileTheme. This can allow remote attackers to delete a...
CVE-2010-4729
Zikula
CVE-2016-9835
Summary (CVE-2016-9835) : Zikula’s jcss.php file has a directory traversal vulnerability in 1.3.x (before 1.3.11) and 1.4.x (before 1.4.4) on Windows, allowing a remote attacker to upload a serialized file to trigger a PHP object injection. Root cause is improper handling of uploaded content lead...