Zikula: >> Zikula Application Framework >> 1.2.3 Security Vulnerabilities
Cross-site scripting (XSS) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: it is possible that this overlaps CVE-2011-0535.
CVSS Score
4.3
EPSS Score
0.002
Published
2011-02-08
Cross-site request forgery (CSRF) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to hijack the authentication of administrators for requests that change account privileges via an edit access_permissions action to index.php.
CVSS Score
6.8
EPSS Score
0.005
Published
2011-02-08
Zikula before 1.3.1 uses the rand and srand PHP functions for random number generation, which makes it easier for remote attackers to defeat protection mechanisms based on randomization by predicting a return value, as demonstrated by the authid protection mechanism.
CVSS Score
5.0
EPSS Score
0.003
Published
2011-02-08