Cross-site Scripting (XSS) - Stored in zikula/core
Jan 17th 2022
In zikula/core cross site scripting vulnerability is present in block modules block list description field. This commit e453ad not properly santize the input.
Proof of Concept
login to the demo account
go to blocks https://demo.ziku.la/blocks/admin/view
Add payload in block list description field and save
4 .payload = "><iMg SrC="x" oNeRRor="alert(1);">
5 . Click position like left,right or any, it go to this link https://demo.ziku.la/blocks/admin/placement/edit/1 and alert will trigger.
Axel Guckelsberger validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger marked this as fixed in 3.0.5 with commit 4f4d5d a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation