Show your support for Zikula! Sign up at Github account and watch the Core project!
- emathieu responded to »upgrading Pagesetter to PageMaster« 08:41 AM
- eledril created topic »Inserting Ads Into News Categories Pages« 07. Mar
- shaaz_khanz responded to »Linking a custom doctrine 2 based module with non-doctrine based module« 06. Mar
- espaan created topic »Creating Imagine plugin preset during installation of other module« 06. Mar
- MarcPare responded to »RSS Feed Broken« 05. Mar
- krator responded to »MOST table prefix« 04. Mar
- krator responded to »sitemap for zikula 1.3« 25. Feb
Articles: Zikula Core 1.3.6 (Security Release)
Zikula Core 1.3.6 is released as of November 6, 2013. This is strictly a security release for the Core 1.3.x series. All users of Core 1.3.0 - 1.3.5 are recommended to update as soon as possible. This release does not contain any other bug fixes or features over Core 1.3.5.
Installation/Upgrade: (from Core 1.3.5) simply overwrite the files in your current installation with the new files run the upgrade.php routine.
The release that was to be version 1.3.6 has been renamed to 1.3.7 and is yet unreleased. Please adjust your development module dependencies accordingly.
Advisory ID: HTB23178
Product: Zikula Application Framework
Vendor: Zikula Software Foundation ( http://zikula.org )
Vulnerable Version(s): 1.3.5 build 20 and probably prior
Tested Version: 1.3.5 build 20
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
High-Tech Bridge Security Research Lab discovered vulnerability in Zikula Application Framework, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
1) Cross-Site Scripting (XSS) in Zikula Application Framework
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "returnpage" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.