Zikula Multiple XSS and CSRF Vulnerabilities

Summary
This host is running Zikula and is prone to multiple cross-site scripting and cross-site request forgery vulnerabilities.
Impact
Successful exploitation will allow remote attackers to compromise the application, disclosure or modification of sensitive data, execute arbitrary HTML and script and conduct cross-site request forgery (CSRF) attacks. Impact Level: Application.
Solution
Upgrade to the Zikula version 1.2.3 or later For updates refer to http://zikula.org/
Insight
- Input passed to the 'lang' parameter and to the 'func' parameter in the 'index.php' is not properly sanitised before being returned to the user. - Failure in the 'users' module to properly verify the source of HTTP request. - Error in 'authid protection' mechanism for lostpassword form and mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests.
Affected
Zikula version prior to 1.2.3
References