Show your support for Zikula! Sign up at Github account and watch the Core project!
- geoff responded to »zikula.com.au« 01:00 AM
- craigh responded to »Numerous 404 errors on Zilkula site - what's up?« 18. Apr
- bronto responded to »High Bandwith Usage« 15. Apr
- Paustian responded to »Migrating from PostNuke to Zikula« 01. Apr
- mesteele101 responded to »Zikula 1.2.10 - set default replyto address for new user email« 31. Mar
- portugao responded to »Redirect to specific page on login« 30. Mar
- localrags responded to »Broken RSS when running Mobile theme« 30. Mar
Articles: Zikula Core 1.3.6 (Security Release)
Zikula Core 1.3.6 is released as of November 6, 2013. This is strictly a security release for the Core 1.3.x series. All users of Core 1.3.0 - 1.3.5 are recommended to update as soon as possible. This release does not contain any other bug fixes or features over Core 1.3.5.
Installation/Upgrade: (from Core 1.3.5) simply overwrite the files in your current installation with the new files run the upgrade.php routine.
The release that was to be version 1.3.6 has been renamed to 1.3.7 and is yet unreleased. Please adjust your development module dependencies accordingly.
Advisory ID: HTB23178
Product: Zikula Application Framework
Vendor: Zikula Software Foundation ( http://zikula.org )
Vulnerable Version(s): 1.3.5 build 20 and probably prior
Tested Version: 1.3.5 build 20
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
High-Tech Bridge Security Research Lab discovered vulnerability in Zikula Application Framework, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
1) Cross-Site Scripting (XSS) in Zikula Application Framework
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "returnpage" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.