PT-2010-3364 · Zikula · Zikula Application Framework
Published
2010-05-05
·
Updated
2018-10-10
·
CVE-2010-1724
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Zikula Application Framework versions 1.2.2 and earlier
Description
The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the
func parameter to "index.php", or the lang parameter to "index.php", which is not properly handled by ZLanguage.php.Recommendations
For Zikula Application Framework versions 1.2.2 and earlier, consider disabling access to the vulnerable parameters
func and lang in the "index.php" endpoint until a patch is available. Restrict input handling by ZLanguage.php to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zikula Application Framework