CVE-2011-3979 Information

Description

Cross-site scripting (XSS) vulnerability in ztemp/view_compiled/Theme/theme_admin_setasdefault.php in the theme module in Zikula Application Framework 1.3.0 build 3168 1.2.7 and probably other versions allows remote attackers to inject arbitrary web script or HTML via the themename parameter in the setasdefault action to index.php.

Reference

http://community.zikula.org/index.php?module=News&func=display&sid=3075 http://osvdb.org/75226 http://secunia.com/advisories/45884 http://securityreason.com/securityalert/8409 http://www.securityfocus.com/archive/1/519565/100/0/threaded http://www.securityfocus.com/bid/49491 https://exchange.xforce.ibmcloud.com/vulnerabilities/69644 https://www.htbridge.ch/advisory/xss_in_zikula.html