Cross-site Scripting (XSS) - Stored in zikula/core

Valid

Reported on

Jan 17th 2022


Description

In zikula/core cross site scripting vulnerability is present in block modules block list description field. This commit e453ad not properly santize the input.

Proof of Concept

login to the demo account

go to blocks https://demo.ziku.la/blocks/admin/view

Add payload in block list description field and save

4 .payload = "><iMg SrC="x" oNeRRor="alert(1);">

5 . Click position like left,right or any, it go to this link https://demo.ziku.la/blocks/admin/placement/edit/1 and alert will trigger.

We are processing your report and will contact the zikula/core team within 24 hours. 4 months ago
We have contacted a member of the zikula/core team and are waiting to hear back 4 months ago
Axel Guckelsberger validated this vulnerability 4 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger confirmed that a fix has been merged on 4f4d5d 4 months ago
The fix bounty has been dropped
to join this conversation