Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php. http://www.securityfocus.com/archive/1/archive/1/510988/100/0/threaded http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework.html http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework_1.html http://community.zikula.org/index.php?module=News&func=display&sid=3012&title=zikula-1.2.3-release-announcement
Created zikula tracking bugs for this issue Affects: fedora-all [bug 589292]
I have requested an exception from FESCo for the bundled/forked library problem that has heretofore stopped inclusion of the 1.2.x series into Fedora. https://fedorahosted.org/fesco/ticket/375
zikula-1.2.3-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/zikula-1.2.3-1.fc12
zikula-1.2.3-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/zikula-1.2.3-1.fc11
zikula-1.2.3-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/zikula-1.2.3-1.fc13
zikula-1.2.3-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/zikula-1.2.3-1.el5
zikula-1.2.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
zikula-1.2.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.