WEB APPLICATION VULNERABILITIES Standard & Premium

Zikula Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-3352)

Description

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

Remediation

References

Related Vulnerabilities

WordPress Plugin MaxBlogPress Max Banner Ads Cross-Site Scripting (1.9)

Drupal Core 8.x Multiple Vulnerabilities (8.0.0 - 8.3.3)

WordPress Plugin WordPress Infinite Scroll-Ajax Load More Unspecified Vulnerability (2.11.0)

WordPress Plugin Content text slider on post Cross-Site Scripting (6.8)

WordPress Plugin bbPress Members Only Cross-Site Request Forgery (1.2.1)

Severity

Medium

Classification

CVE-2011-3352 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities