CVE-2016-9835
CRITICALZikula Framework 1.3.x < 1.3.11 and 1.4.x < 1.4.4 - Directory Traversal & PHP Object Injection
Title source: llmDescription
Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.
References (4)
Core 4
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/zikula/core/issues/3237
Issue Tracking, Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/zikula/core/blob/1.4/CHANGELOG-1.4.md
Issue Tracking, Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/zikula/core/blob/1.3/CHANGELOG-1.3.md
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/95005
Scores
CVSS v3
9.8
EPSS
0.0392
EPSS Percentile
89.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-77
Status
published
Products (15)
zikula/zikula_application_framework
1.3.0
zikula/zikula_application_framework
1.3.1
zikula/zikula_application_framework
1.3.2
zikula/zikula_application_framework
1.3.3
zikula/zikula_application_framework
1.3.4
zikula/zikula_application_framework
1.3.5
zikula/zikula_application_framework
1.3.6
zikula/zikula_application_framework
1.3.7
zikula/zikula_application_framework
1.3.8
zikula/zikula_application_framework
1.3.9
... and 5 more
Published
Dec 05, 2016
Tracked Since
Feb 18, 2026