We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-site Scripting (XSS) - Reflected in zikula/core

Valid

Reported on

Nov 29th 2021

Description

In zikula/core cross site scripting vulnerability in extension list name field.

Proof of Concept

  1. login to the demo account

  2. go to extensions https://demo.ziku.la/extensions/module/modify/3

  3. Add payload in displayname field

payload "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the zikula/core team within 24 hours. 2 years ago
We have contacted a member of the zikula/core team and are waiting to hear back 2 years ago
zikula/core maintainer validated this vulnerability 2 years ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
zikula/core maintainer marked this as fixed in 3.0.4 with commit e453ad 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation