Zikula Application Framework@* Security Vulnerabilities and Issues — Zikula Application Framework@* CVE List

Lucene search

ZikulaZikula Application Framework*

8 matches found

CVE•added 2019/11/19 11:15 p.m.•65 views

CVE-2011-3352

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context...

4.8CVSS5.4AI score0.00302EPSS

CVE•added 2011/02/08 10:0 p.m.•43 views

CVE-2010-4728

Zikula before 1.3.1 uses the rand and srand PHP functions for random number generation, which makes it easier for remote attackers to defeat protection mechanisms based on randomization by predicting a return value, as demonstrated by the authid protection mechanism.

5CVSS6.9AI score0.00345EPSS

CVE•added 2011/02/08 10:0 p.m.•41 views

CVE-2011-0535

Cross-site request forgery (CSRF) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to hijack the authentication of administrators for requests that change account privileges via an edit access_permissions action to index.php.

6.8CVSS7.2AI score0.00464EPSS

CVE•added 2010/05/06 12:47 p.m.•38 views

CVE-2010-1732

Cross-site request forgery (CSRF) vulnerability in the users module in Zikula Application Framework before 1.2.3 allows remote attackers to hijack the authentication of administrators for requests that change the administrator email address (updateemail action).

6.8CVSS6.9AI score0.00109EPSS

CVE•added 2013/11/14 8:55 p.m.•38 views

CVE-2013-6168

Cross-site scripting (XSS) vulnerability in Zikula Application Framework before 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the returnpage parameter to index.php.

4.3CVSS5.7AI score0.0034EPSS

CVE•added 2018/03/26 6:29 p.m.•38 views

CVE-2014-2293

Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) ...

9.8CVSS9.7AI score0.16849EPSS

CVE•added 2011/02/08 10:0 p.m.•37 views

CVE-2011-0911

Cross-site scripting (XSS) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: it is possible that this overlaps CVE-2011-0535.

4.3CVSS5.7AI score0.00464EPSS

CVE•added 2011/02/08 10:0 p.m.•34 views

CVE-2010-4729

Zikula before 1.2.3 does not use the authid protection mechanism for (1) the lostpassword form and (2) mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests and possibly conduct cross-site request forgery (CSRF) attacks via multiple form submissi...

6.8CVSS7.2AI score0.00182EPSS