Zikula: >> Zikula Application Framework >> 1.3.1 Security Vulnerabilities
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.
CVSS Score
9.8
EPSS Score
0.168
Published
2018-03-26
Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.
CVSS Score
9.8
EPSS Score
0.039
Published
2016-12-05
Cross-site scripting (XSS) vulnerability in Zikula Application Framework before 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the returnpage parameter to index.php.
CVSS Score
4.3
EPSS Score
0.003
Published
2013-11-14