Cross-site Scripting (XSS) - Generic in zikula/core

Valid

Reported on

Nov 29th 2021


Description

In zikula/core cross site scripting vulnerability is present in block module description field

Proof of Concept

  1. login to the demo account

  2. go to blocks https://demo.ziku.la/blocks/admin/view

  3. Add payload in title field and save

4 payload = "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability is capable of stolen the user session

We are processing your report and will contact the zikula/core team within 24 hours. 2 months ago
We have contacted a member of the zikula/core team and are waiting to hear back 2 months ago
zikula/core maintainer
2 months ago

Maintainer


Where is the difference to https://huntr.dev/bounties/564242e6-6ec3-453b-95b6-030890e5b932/ ?

Asura-N
2 months ago

Researcher


Apalogies for that I didn't check , wait I will update @ maintainer

zikula/core maintainer validated this vulnerability 2 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
zikula/core maintainer confirmed that a fix has been merged on e453ad 2 months ago
The fix bounty has been dropped