Description

Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

Remediation

References

CVE-2011-3352

Related Vulnerabilities

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-17823)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9853)

WordPress Plugin HashBar-WordPress Notification Bar Cross-Site Scripting (1.3.5)

Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7854)

Jenkins Improper Input Validation Vulnerability (CVE-2012-4438)

Severity

Medium

Classification

CVE-2011-3352 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities