CVE-2010-1724
published 2010-05-06CVE-2010-1724: Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
4.10%
89.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zikula | zikula_application_framework | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2008-1724 Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)
Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: tumbleweed_filetransfer.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the vcst_eu.dll
FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed
SecureTransport suite. By sending an overly long string to the
TransferFile() 'remotefile' function, a
Exploit-DB
Zikula Application Framework 1.2.2 - 'ZLanguage.php?lang' Cross-Site Scripting
exploitdb·2010-04-13
CVE-2010-1724 Zikula Application Framework 1.2.2 - 'ZLanguage.php?lang' Cross-Site Scripting
Zikula Application Framework 1.2.2 - 'ZLanguage.php?lang' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/39717/info
Zikula Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Zikula Application Framework 1.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/?lang=en%27%22%3E%3Cimg%20src=0%20onerror=alert%28document.cookie%29%3E
Exploit-DB
Zikula Application Framework 1.2.2 - 'index.php?func' Cross-Site Scripting
exploitdb·2010-04-13
CVE-2010-1724 Zikula Application Framework 1.2.2 - 'index.php?func' Cross-Site Scripting
Zikula Application Framework 1.2.2 - 'index.php?func' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/39717/info
Zikula Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Zikula Application Framework 1.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?module=adminpanel&type=admin&func=adminpanel&lang=en%27%22%3E%3Cimg%20src=0%20onerror=alert%28document.cookie%29%3E
Bugzilla
CVE-2010-1724 Zikula multiple XSS flaws
bugzilla·2010-05-05·CVSS 4.3
CVE-2010-1724 [MEDIUM] CVE-2010-1724 Zikula multiple XSS flaws
CVE-2010-1724 Zikula multiple XSS flaws
Multiple cross-site scripting (XSS) vulnerabilities in Zikula
Application Framework 1.2.2, and possibly earlier, allow remote
attackers to inject arbitrary web script or HTML via the (1) func
parameter to index.php, or the (2) lang parameter to index.php, which
is not properly handled by ZLanguage.php.
http://www.securityfocus.com/archive/1/archive/1/510988/100/0/threaded
http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework_1.html
http://community.zikula.org/index.php?module=News&func=display&sid=3012&title=zikula-1.2.3-release-announcement
Discussion:
Created zikula tracking bugs for this issue
Affects: fedora-all [bug 589292]
--
Bugzilla
CVE-2010-1724 CVE-2010-1732 zikula various flaws [fedora-all]
bugzilla·2010-05-05·CVSS 4.3
CVE-2010-1724 [MEDIUM] CVE-2010-1724 CVE-2010-1732 zikula various flaws [fedora-all]
CVE-2010-1724 CVE-2010-1732 zikula various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
Forr more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=589290
Please note: this issue affects multiple supported v
http://community.zikula.org/index.php?module=News&func=display&sid=3012&title=zikula-1.2.3-release-announcementhttp://osvdb.org/64096http://secunia.com/advisories/39614http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework.htmlhttp://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework_1.htmlhttp://www.osvdb.org/64095http://www.securityfocus.com/archive/1/510988/100/0/threadedhttp://www.securityfocus.com/bid/39717https://exchange.xforce.ibmcloud.com/vulnerabilities/58224http://community.zikula.org/index.php?module=News&func=display&sid=3012&title=zikula-1.2.3-release-announcementhttp://osvdb.org/64096http://secunia.com/advisories/39614http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework.htmlhttp://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework_1.htmlhttp://www.osvdb.org/64095http://www.securityfocus.com/archive/1/510988/100/0/threadedhttp://www.securityfocus.com/bid/39717https://exchange.xforce.ibmcloud.com/vulnerabilities/58224
2010-05-06
Published