Hide Forgot
It was found that the Zikula web application framework did not properly sanitize the 'themename' parameter, while setting particular theme as a default one, modifying the theme or deleting it. A remote attacker, with Zikula administrator privilege, could use this flaw to execute arbitrary HTML or web script code in the context of the affected website. References: [1] http://www.securityfocus.com/archive/1/519565/30/0/threaded [2] https://www.htbridge.ch/advisory/xss_in_zikula.html Relevant upstream patch: [3] https://github.com/zikula/core/commit/c27dc3ddce8c9ff519ed57397e3bdf8f281aade6
Provided PoC (from [1], [2]): ============================= http://host/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E CVE Request: [4] http://www.openwall.com/lists/oss-security/2011/09/08/5
This issue did NOT affect the versions of the zikula package, as shipped with Fedora release of 14 and 15 (these versions do not contain the affected code in question yet). -- This issue did NOT affect the versions of the zikula package, as present within EPEL-5 and EPEL-6 repositories (the zikula package versions there do not contain the vulnerable code in question yet).
This issue was assigned the name CVE-2011-3352.
A potentially duplicate CVE identifier of CVE-2011-3979 has been also assigned to this issue. Checking with Mitre: [5] http://www.openwall.com/lists/oss-security/2011/10/04/3 which CVE identifier is the proper one to be used to reference to this issue. Will update this bug later yet, if / once necessary.