Cross-site Scripting (XSS) - Stored in zikula/core


Reported on

Dec 30th 2021


When inputting a name for a module category (whether editing an existing one or adding a new one), you're able to inject your own Javascript, leading to it being executed.

An example payload that you can enter is: <a href="javascript:alert(1)">xss</a> and then each time that you click the category to expand it, your Javascript payload is executed:

Proof of Concept

<a href="javascript:alert(1)">xss</a>


POST /adminpanel/ajax/editcategory HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 13
DNT: 1
Connection: keep-alive
Cookie: _zsid=78cujs3anllt6em953aut59odj
Sec-GPC: 1


An attacker can exploit this vulnerability in order to execute their own Javascript on the admin panel.


The item variable stores the category object. The name of the category is updated using the new category name, which is stored in the variable name and was retrieved from the user's request (the user's request data is stored in variables at line 210-211, the name variable stores the new category name) without proper sanitization.

The item variable (line 255) stores the category object. The name of the category is updated using the name variable which is used without being properly sanitized, it should be sanitized prior to line 255. The name variable stores the category name which the user supplies in their request (see lines 210-211 which is where the user's request data when updating a category name are stored into variables)

We are processing your report and will contact the zikula/core team within 24 hours. a month ago
We have contacted a member of the zikula/core team and are waiting to hear back a month ago
Axel Guckelsberger validated this vulnerability a month ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger confirmed that a fix has been merged on 09a396 a month ago
The fix bounty has been dropped
AjaxController.php#L256 has been validated