Summary
This host is running Zikula and is prone to multiple cross-site scripting and cross-site request forgery vulnerabilities.
Impact
Successful exploitation will allow remote attackers to compromise the application, disclosure or modification of sensitive data, execute arbitrary HTML and script and conduct cross-site request forgery (CSRF) attacks.
Impact Level: Application.
Solution
Upgrade to the Zikula version 1.2.3 or later
For updates refer to http://zikula.org/
Insight
- Input passed to the 'lang' parameter and to the 'func' parameter in the 'index.php' is not properly sanitised before being returned to the user.
- Failure in the 'users' module to properly verify the source of HTTP request.
- Error in 'authid protection' mechanism for lostpassword form and mailpasswd processing, which makes it easier for remote attackers to generate a flood of password requests.
Affected
Zikula version prior to 1.2.3
References
Severity
Classification
-
CVE CVE-2010-1724, CVE-2010-1732, CVE-2010-4729 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Annuaire PHP 'sites_inscription.php' Cross Site Scripting Vulnerability
- Apache Solr Directory Traversal Vulnerability Jan-14
- Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities