Multiple cross-site scripting (XSS) vulnerabilities in Zikula
Application Framework 1.2.2, and possibly earlier, allow remote
attackers to inject arbitrary web script or HTML via the (1) func
parameter to index.php, or the (2) lang parameter to index.php, which
is not properly handled by ZLanguage.php.
Created zikula tracking bugs for this issue
Affects: fedora-all [bug 589292]
I have requested an exception from FESCo for the bundled/forked library problem that has heretofore stopped inclusion of the 1.2.x series into Fedora.
zikula-1.2.3-1.fc12 has been submitted as an update for Fedora 12.
zikula-1.2.3-1.fc11 has been submitted as an update for Fedora 11.
zikula-1.2.3-1.fc13 has been submitted as an update for Fedora 13.
zikula-1.2.3-1.el5 has been submitted as an update for Fedora EPEL 5.
zikula-1.2.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
zikula-1.2.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.