Zikula Application Framework version 1.3.5 build 20 and probably prior is vulnerable to perform XSS (cross-site scripting) attacks. Details of vulnerability are disclosed this week by High-Tech Bridge Security Research Lab.
Cross-site scripting (XSS) vulnerability in Zikula Application Framework exists due to insufficient sanitisation of user-supplied data in "returnpage" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Solution: Update to Zikula 1.3.6 build 19
Additional details available on researcher's page and on zikula.org.
No comments:
Post a Comment