Cross-site Scripting (XSS) - Generic in zikula/core


Reported on

Nov 29th 2021


In zikula/core cross site scripting vulnerability is present in block module description field

Proof of Concept

  1. login to the demo account

  2. go to blocks

  3. Add payload in title field and save

4 payload = "><iMg SrC="x" oNeRRor="alert(1);">


This vulnerability is capable of stolen the user session

We are processing your report and will contact the zikula/core team within 24 hours. 2 years ago
We have contacted a member of the zikula/core team and are waiting to hear back 2 years ago
zikula/core maintainer
2 years ago


Where is the difference to ?

2 years ago


Apalogies for that I didn't check , wait I will update @ maintainer

zikula/core maintainer validated this vulnerability 2 years ago
asura-n has been awarded the disclosure bounty
The fix bounty is now up for grabs
zikula/core maintainer marked this as fixed in 3.0.4 with commit e453ad 2 years ago
The fix bounty has been dropped
to join this conversation