Moderate severityNVD Advisory· Published Nov 2, 2022· Updated Apr 15, 2025

Tribal Systems Zenario CMS Error Log Module admin_organizer.js cross site scripting

CVE-2020-36608

Description

A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS. Affected by this issue is some unknown functionality of the file admin_organizer.js of the component Error Log Module. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is dfd0afacb26c3682a847bea7b49ea440b63f3baa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-212816.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Zenario CMS's Error Log module allowed remote attackers to inject arbitrary web script via unsanitized input in admin_organizer.js.

Vulnerability

Analysis

CVE-2020-36608 describes a problematic cross-site scripting (XSS) vulnerability found in Tribal Systems Zenario CMS. The issue exists within the Error Log module, specifically in the admin_organizer.js file [1][2]. The root cause is insufficient sanitization of user-controlled input that is later rendered in the browser, allowing an attacker to inject malicious scripts. The official patch (commit dfd0afacb26c3682a847bea7b49ea440b63f3baa) addresses this by applying additional htmlspecialchars() calls to output values, preventing script execution [2].

Attack

Vector

The attack can be launched remotely without authentication, as the Error Log module is accessible through the administrative interface [1]. An attacker would need to craft a request containing a malicious payload in a parameter that gets stored in the error logs. When an administrator views the logs via the admin_organizer.js component, the unescaped payload executes, leading to XSS [2]. The vulnerable code did not properly encode values such as item.name before inserting them into HTML attributes [2].

Impact

A successful exploit allows the attacker to execute arbitrary JavaScript in the context of the victim administrator's browser session. This could be used to steal session cookies, deface the admin panel, or perform actions on behalf of the authenticated administrator, compromising the CMS backend [1].

Mitigation

The vendor released a patch (commit dfd0afacb26c3682a847bea7b49ea440b63f3baa) that is integrated into Zenario CMS version 8.5 revision 51340 and later [2][3]. Applying this patch or upgrading to a patched version fully resolves the vulnerability. No workaround is documented, and the CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tribalsystems/zenarioPackagist	< 8.5.51340	8.5.51340

Affected products

ghsa-coords
pkg:composer/tribalsystems/zenario
Range: < 8.5.51340
Tribal Systems/Zenario CMSv5
Range: n/a

Patches

dfd0afacb26c

Fix for a security vulnerability with the Error Log module

https://github.com/TribalSystems/ZenarioChris TurnbullApr 25, 2020via ghsa

commit

7 files changed · +29 −22

zenario/admin/db_updates/latest_revision_no.inc.php+1 −1 modified

@@ -37,6 +37,6 @@
 define('ZENARIO_MAJOR_VERSION', '8');
 define('ZENARIO_MINOR_VERSION', '5');
 define('ZENARIO_IS_BUILD', true);
-define('ZENARIO_REVISION', '50977');
+define('ZENARIO_REVISION', '51340');
 
 define('TINYMCE_DIR', 'zenario/libs/manually_maintained/lgpl/tinymce_4_7_3/');
\ No newline at end of file

zenario/autoload/welcome.php+3 −1 modified

@@ -2620,7 +2620,9 @@ public static function diagnosticsAJAX(&$source, &$tags, &$fields, &$values, $ch
 				}
 			} else {
 				$fields['0/htaccess_unavailable']['row_class'] = 'warning';
-				$fields['0/htaccess_unavailable']['snippet']['html'] = \ze\admin::phrase('The .htaccess file cannot be read or is missing. (This message needs revising.)');
+				$fields['0/htaccess_unavailable']['snippet']['html'] = \ze\admin::phrase('The .htaccess file cannot be read or is missing.');
+				
+				$fields['0/friendly_urls_disabled']['hidden'] = true;
 			}
 		
 			//Check to see if there are spare domains without a primary domain

zenario/js/admin_organizer.js+6 −6 modified

@@ -4723,10 +4723,10 @@ zenarioO.columnValue = function(i, c, dontHTMLEscape) {
 					href = ' style="cursor: default;"';
 					
 					if (item_link == 'menu_item') {
-						href += ' title="' + htmlspecialchars(item.name) + '|"';
+						href += ' title="' + htmlspecialchars(htmlspecialchars(item.name)) + '|"';
 					
 					} else if (item_link == 'content_item' || item_link == 'content_item_or_url') {
-						href += ' title="' + htmlspecialchars(item.name) + '|"';
+						href += ' title="' + htmlspecialchars(htmlspecialchars(item.name)) + '|"';
 					}
 				
 				} else {
@@ -4774,22 +4774,22 @@ zenarioO.columnValue = function(i, c, dontHTMLEscape) {
 					
 					if (isSKLink) {
 						if (item_link == 'menu_item') {
-							href += ' title="' + htmlspecialchars(item.name) + '|' + phrase.clkToViewLinkedMenuNode + '"';
+							href += ' title="' + htmlspecialchars(htmlspecialchars(item.name)) + '|' + phrase.clkToViewLinkedMenuNode + '"';
 						
 						} else if (item_link == 'content_item' || item_link == 'content_item_or_url') {
-							href += ' title="' + htmlspecialchars(item.name) + '|' + phrase.clkToViewLinkedCItem + '"';
+							href += ' title="' + htmlspecialchars(htmlspecialchars(item.name)) + '|' + phrase.clkToViewLinkedCItem + '"';
 						}
 					
 					} else if (isURL) {
-						href += ' title="' + htmlspecialchars(item.name) + '|' + phrase.clkToViewLinkInNewWindow + '"';
+						href += ' title="' + htmlspecialchars(htmlspecialchars(item.name)) + '|' + phrase.clkToViewLinkInNewWindow + '"';
 					}
 				}
 				
 				
 				switch (item_link) {
 					case 'content_item':
 					case 'content_item_or_url':
-						itemName = item.name;
+						itemName = htmlspecialchars(item.name);
 						break;
 			
 					case 'menu_item':

zenario/js/admin_organizer.min.js+10 −10 modified

@@ -20,17 +20,17 @@ h,!0)&&(b=h.path,t=h.info),Y(b,"~t",h)&&(b=h.path,y=h.info),Y(b,"~.",h)&&(b=h.pa
 I={};A=a.branches.length-1;if(-1!==c){N=a._lFB(b,c,"panel_instances");for(t=0;t<A;++t)if(F=a.branches[t].refiners[a.branches[t+1].from])I["refiner__"+(E=F.name)]=F.id;if(F=a.branches[A].refiners[a.path])I["refiner__"+(E=F.name)]=F.id;d&&(I["refiner__"+d.name]=d.id)}N?(N.cmsSetsPath(b),N.cmsSetsRefiner(d)):N=a._iNPI(b,d);var J=a._fPOM(b,"default_sort_column");J||(J="name");F=a._fPOM(b);N.cmsSetsPanelTUIX(F);N.cmsSetsRequestedItem(s);N.cmsSetsSearchTerm(G);x=x&&!_._isEm(x)?w._cl(x):{};for(var H in x)p(x,
 H)&&(A=x[H],a._fSOC(H,x)?(r(A.not)&&(A.not?A.not=1:delete A.not),r(A.s)&&(A.s=v(A.s))):x[H]&&(x[H]={}));r(u)||(u=1*N.returnPageSize());H=F.reorder;var L=N.returnDoSortingAndSearchingOnServer(),K=N.returnAJAXURL(),M=N.returnDevToolsAJAXURL(),D={};A=function(e){a.go2(b,K,M,D,c,z,J,u,O,s,N,G,x,d,E,I,L,g,Z,e)};if(K){l.zenarioONotFull&&(l.zenarioOSelectMode?K+="&_select_mode=1":l.zenarioOQuickMode&&(K+="&_quick_mode=1"));a._aWPI(D);e&&!f&&(D._queued=1);r(d)&&(D.refinerId=d.id,D.refinerName=d.name,d.languageId&&
 (D.languageId=d.languageId));l.zenarioOCombineItem&&(D._combineItem=l.zenarioOCombineItem);for(var C in I)p(I,C)&&(D[C]=I[C]);if(L||a.CSVExport){if(u)if(D._limit=u,D._start=a.refreshToPage?(a.refreshToPage-1)*u:0,s)D._item=s;else if(g)if("object"==typeof g&&g.selectedItemFromLastPanel)D._item=g.selectedItemFromLastPanel;else if(e=a._gSIFLP(b))D._item=e;H&&H.column?D._sort_col=H.column:a.prefs[b]&&a.prefs[b].sortBy?(D._sort_col=a.prefs[b].sortBy,D._sort_desc=a.prefs[b].sortDesc?1:0):(D._sort_col=J,
-D._sort_desc=v(a._fPOM(b,"default_sort_desc")))}x&&!_._isEm(x)&&(D._filters=JSON.stringify(x));(L||a.CSVExport)&&r(G)&&(D._search=G)}if(B)return K+w._uR(D);a._stRe();b!=a.defaultPathInIframePreload&&(m("organizer_preloader_circle").style.display="block");r(l.zenarioOFirstLoad)&&(l.zenarioOFirstLoad?l.zenarioOFirstLoad=!1:a._rOIIR(b));K?w._a(K+w._uR(D),!1,!0,!0,!0,!0).after(A):A(F)}}else l.zenarioONotFull||(l.zenarioOQueue=[{path:b,branch:-1}])}};a.go2=function(b,c,d,e,f,g,h,s,F,m,u,t,G,x,B,y,A,z,
+D._sort_desc=v(a._fPOM(b,"default_sort_desc")))}x&&!_._isEm(x)&&(D._filters=JSON.stringify(x));(L||a.CSVExport)&&r(G)&&(D._search=G)}if(B)return K+w._uR(D);a._stRe();b!=a.defaultPathInIframePreload&&(m("organizer_preloader_circle").style.display="block");r(l.zenarioOFirstLoad)&&(l.zenarioOFirstLoad?l.zenarioOFirstLoad=!1:a._rOIIR(b));K?w._a(K+w._uR(D),!1,!0,!0,!0,!0).after(A):A(F)}}else l.zenarioONotFull||(l.zenarioOQueue=[{path:b,branch:-1}])}};a.go2=function(b,c,d,e,f,g,h,s,F,m,t,u,G,x,B,y,A,z,
 I,E){E&&r(E.comment)&&l.console&&console.log(E.comment);if((q.isFullOrganizerWindow||q._cIBIO("og"))&&g==a.goNum){a._stRe();var N=a.path,Q,S;a.tuix&&(Q=B&&a.tuix.refiners&&a.tuix.refiners[B]&&a.tuix.refiners[B].title||a.tuix.title,S=v(a.tuix.no_return));a.url=c+w._uR(e);a.devToolsURL=d!=c?d+w._uR(e):k;a.lastRequests=e;a.path=b;a.defaultSortColumn=h;a.thisPageSize=s;a.server_side=A;a.inspectionView=F;a.inspectionViewItem=m;a.prefs[b]||(a.prefs[b]={});-1===f?a._reBr():f&&a._br(b,N,Q,S);a.pi=a.branches[a.branches.length-
-1].panel_instances[a.path]=u;r(E._filters)&&(G=E._filters,delete E._filters);a.branches[a.branches.length-1].filters[a.path]=G;a._sS(t);delete a.tuix;a.tuix=E;a.focus=a.tuix;a.pi.cmsSetsPanelTUIX(a.tuix);a.filtersSet=!1;a.filtersSetInViewOptions=!1;for(var J in G)if(p(G,J)&&a._fSOC(J,G)&&(a.filtersSet=!0,a._cFC(J))){a.filtersSetInViewOptions=!0;break}a._mIVIF();a._sR(x);a.lastRefiners=y;a.tuix.columns||(a.tuix.columns={name:{title:"Name"}});(c=a._fPOM(b,"reorder"))&&c.column?(a.sortBy=c.column,a.sortDesc=
+1].panel_instances[a.path]=t;r(E._filters)&&(G=E._filters,delete E._filters);a.branches[a.branches.length-1].filters[a.path]=G;a._sS(u);delete a.tuix;a.tuix=E;a.focus=a.tuix;a.pi.cmsSetsPanelTUIX(a.tuix);a.filtersSet=!1;a.filtersSetInViewOptions=!1;for(var J in G)if(p(G,J)&&a._fSOC(J,G)&&(a.filtersSet=!0,a._cFC(J))){a.filtersSetInViewOptions=!0;break}a._mIVIF();a._sR(x);a.lastRefiners=y;a.tuix.columns||(a.tuix.columns={name:{title:"Name"}});(c=a._fPOM(b,"reorder"))&&c.column?(a.sortBy=c.column,a.sortDesc=
 !1):a.prefs[b].sortBy&&a.tuix.columns[a.prefs[b].sortBy]?(a.sortBy=a.prefs[b].sortBy,a.sortDesc=a.prefs[b].sortDesc):((h=a._fPOM(b,"default_sort_column"))?a.sortBy=h:a.sortBy=a.defaultSortColumn,a.sortDesc=v(a._fPOM(b,"default_sort_desc")));a.pi.cmsSetsSortColumn(a.sortBy,a.sortDesc);a.sortedColumns=a._gSIOTE("columns");a.sortedItemButtons=a._gSIOTE("item_buttons");a.sortedInlineButtons=a._gSIOTE("inline_buttons");a.sortedCollectionButtons=a._gSIOTE("collection_buttons");a.sortedQuickFilterButtons=
 a._gSIOTE("quick_filter_buttons");a.shownColumns=a._gSC(b,h,a.tuix.columns);if(a.prefs[b].sortedColumns){c={};for(var H in a.prefs[b].sortedColumns)p(a.prefs[b].sortedColumns,H)&&(J=a.prefs[b].sortedColumns[H],c[J]=H);h=!1;for(H in a.sortedColumns)if(p(a.sortedColumns,H)){J=a.sortedColumns[H];if(a._iSC(J,!1,!0)&&!r(c[J])){h=c[h];h=r(h)?1*h+1:0;a.prefs[b].sortedColumns.splice(h,0,J);for(var L in c)p(c,L)&&c[L]>=h&&++c[L];c[J]=h}h=J}a.sortedColumns=a.prefs[b].sortedColumns}a.tuix.items&&1==a.tuix.__item_count__&&
 v(a.tuix.allow_bypass)?a.branches[a.branches.length-1].bypasses[a.path]=!0:delete a.branches[a.branches.length-1].bypasses[a.path];if(!a._cQ(!0)){if(a.tuix.items&&1==a.tuix.__item_count__&&v(a.tuix.allow_bypass))if(z){if(!1!==a._gBBT()){a._b();return}}else{if(a.tuix.items)for(var K in a.tuix.items)if(p(a.tuix.items,K)){H={};H[K]=!0;a.pi.cmsSetsSelectedItems(H);if(a._iCTA(K))return;break}}else if((!a.tuix.items||!a.tuix.__item_count__)&&v(a.tuix.return_if_empty)&&!1!==a._gBBT()){a._b();return}K={};
 L={};H={};var U,D,C,P;for(J in a.tuix.columns)if(p(a.tuix.columns,J)&&(c=a.tuix.columns[J],a._iSC(J)&&(b=c.item_link)))switch(b){case "content_item":case "content_item_or_url":for(D in a.tuix.items)p(a.tuix.items,D)&&(U=a.tuix.items[D][J])&&(c=U.s("_"),c[0]&&"null"!=c[0]&&c[0]===c[0].r(/\W/,"")&&c[1]&&c[1]==1*c[1]&&(C=a._iL(D),P=a._iP(D),L[C]||(L[C]={}),L[C][P]=L[C][P]?L[C][P]+",":"",L[C][P]+=c[0]+"_"+c[1]));break;case "menu_item":for(D in a.tuix.items)p(a.tuix.items,D)&&(U=a.tuix.items[D][J])&&U==
 1*U&&(C=a._iL(D),K[C]=K[C]?K[C]+",":"",K[C]+=U);break;default:for(D in a.tuix.items)p(a.tuix.items,D)&&(U=a.tuix.items[D][J])&&(H[b]=H[b]?H[b]+",":"",H[b]+=U)}a.contentItems={};a.menuItems={};a.otherItemLinks={};a.itemLinkRequestsLeft=0;a.shallowLinks={content_item:"zenario__content/panels/content",content_item_or_url:"zenario__content/panels/content",menu_item:"zenario__menu/panels/menu_nodes"};for(C in L)if(p(L,C))for(P in L)p(L,P)&&L[C][P]&&(a.contentItems[C]||(a.contentItems[C]={}),a.contentItems[C][P]||
-(a.contentItems[C][P]={}),c=M+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.content_item+"&_get_item_links="+L[C][P]+"&languageId="+T(C),++a.itemLinkRequestsLeft,a._gDH(c,C,function(b,c){g==a.goNum&&(a.contentItems[b][P]=c,--a.itemLinkRequestsLeft||a.go3(g,t,z,I))}));for(C in K)p(K,C)&&(J=K[C])&&(a.menuItems[C]||(a.menuItems[C]={}),c=M+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.menu_item+"&_get_item_links="+T(J)+"&languageId="+T(C)+"&refinerName=language&refinerId="+T(C)+"&refiner__language="+
-T(C),++a.itemLinkRequestsLeft,a._gDH(c,C,function(b,c){g==a.goNum&&(a.menuItems[b]=c,--a.itemLinkRequestsLeft||a.go3(g,t,z,I))}));for(b in H)p(H,b)&&(J=H[b])&&(a.otherItemLinks[b]||(a.otherItemLinks[b]={}),c=M+"zenario/admin/organizer.ajax.php?path="+T(b)+"&_get_item_links="+T(J),++a.itemLinkRequestsLeft,a._gDH(c,b,function(b,c){g==a.goNum&&(a.otherItemLinks[b]=c,--a.itemLinkRequestsLeft||a.go3(g,t,z,I))}));a.itemLinkRequestsLeft?(a.go3Timeout&&clearTimeout(a.go3Timeout),a.go3Timeout=setTimeout(function(){a.go3(g,
-t,z,I)},a.getItemLinkTimeoutTime)):a.go3(g,t,z,I)}}};a.getDataHack=function(a,c,d){w._a(a,2E3<a.length,!0,!0,!0).after(function(a){d(c,a)})};a.go3=function(b,c,d,e){(q.isFullOrganizerWindow||q._cIBIO("og"))&&b==a.goNum&&(a.lastSuccessfulGoNum=++a.goNum,a.go3Timeout&&clearTimeout(a.go3Timeout),m("organizer_preloader_circle").style.display="none",a._sN(),!d&&a.tuix.popout_message&&(r(a.refreshToPage)&&a.tuix.popout_message==a.lastPopoutMessage||q._sM(a.tuix.popout_message,!0,!1),a.lastPopoutMessage=
+(a.contentItems[C][P]={}),c=M+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.content_item+"&_get_item_links="+L[C][P]+"&languageId="+T(C),++a.itemLinkRequestsLeft,a._gDH(c,C,function(b,c){g==a.goNum&&(a.contentItems[b][P]=c,--a.itemLinkRequestsLeft||a.go3(g,u,z,I))}));for(C in K)p(K,C)&&(J=K[C])&&(a.menuItems[C]||(a.menuItems[C]={}),c=M+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.menu_item+"&_get_item_links="+T(J)+"&languageId="+T(C)+"&refinerName=language&refinerId="+T(C)+"&refiner__language="+
+T(C),++a.itemLinkRequestsLeft,a._gDH(c,C,function(b,c){g==a.goNum&&(a.menuItems[b]=c,--a.itemLinkRequestsLeft||a.go3(g,u,z,I))}));for(b in H)p(H,b)&&(J=H[b])&&(a.otherItemLinks[b]||(a.otherItemLinks[b]={}),c=M+"zenario/admin/organizer.ajax.php?path="+T(b)+"&_get_item_links="+T(J),++a.itemLinkRequestsLeft,a._gDH(c,b,function(b,c){g==a.goNum&&(a.otherItemLinks[b]=c,--a.itemLinkRequestsLeft||a.go3(g,u,z,I))}));a.itemLinkRequestsLeft?(a.go3Timeout&&clearTimeout(a.go3Timeout),a.go3Timeout=setTimeout(function(){a.go3(g,
+u,z,I)},a.getItemLinkTimeoutTime)):a.go3(g,u,z,I)}}};a.getDataHack=function(a,c,d){w._a(a,2E3<a.length,!0,!0,!0).after(function(a){d(c,a)})};a.go3=function(b,c,d,e){(q.isFullOrganizerWindow||q._cIBIO("og"))&&b==a.goNum&&(a.lastSuccessfulGoNum=++a.goNum,a.go3Timeout&&clearTimeout(a.go3Timeout),m("organizer_preloader_circle").style.display="none",a._sN(),!d&&a.tuix.popout_message&&(r(a.refreshToPage)&&a.tuix.popout_message==a.lastPopoutMessage||q._sM(a.tuix.popout_message,!0,!1),a.lastPopoutMessage=
 a.tuix.popout_message),a._sASI(c),a.firstLoaded||(a.firstLoaded=!0,q._hAL()),a._sWC("loaded",!0),a._sWC("filters_set",a.filtersSet),a._sWC("filters_set_in_view_options",a.filtersSetInViewOptions),e&&e())};a.setWrapperClass=function(a,c){$("#organizer__box_inner").removeClass("organizer_"+(c?"not_":"")+a).addClass("organizer_"+(c?"":"not_")+a)};a.itemLanguage=function(b){return b&&a.tuix&&a.tuix.items&&a.tuix.items[b]&&(!a.tuix.items[b].css_class||-1==(""+a.tuix.items[b].css_class).indexOf("ghost"))&&
 a.tuix.items[b].language_id?a.tuix.items[b].language_id:a.tuix&&a.tuix.key?a.tuix.key.languageId||a.tuix.key.language:""};a.itemParent=function(a){return""};a.getShownColumns=function(b,c,d){var e=!1,f=!1,g={};a.prefs&&a.prefs[b]&&a.prefs[b].shownColumns&&(g=a.prefs[b].shownColumns);if(d)for(var h in d)p(d,h)&&(e||(e=h),v(d[h].always_show)?f=g[h]=!0:r(g[h])?g[h]&&(f=!0):v(d[h].show_by_default)&&(f=g[h]=!0));f||(g[e||c]=!0);return g};a.nextPage=function(){if(a.lockPageClicks)return!1;a.page<a.pageCount&&
 a._gTP(a.page+1)};a.prevPage=function(){if(a.lockPageClicks)return!1;1<a.page&&a._gTP(a.page-1)};a.goToPage=function(b){if(a.stop)return!1;a.page!=b&&a._dAI();a.lockPageClicks=!0;a.inspectionView=!1;a.pi.resetScrollPosition();a.server_side?a._rASP(b):a.showPage(b)};a.goToLastPage=function(){if(a.stop)return!1;a._gTP(a.pageCount)};a.refreshAndShowPage=function(b){a.page=b||1;a._l()};a.showPage=function(b){a.page=b;a._sePa()};a.searchAndSortItems=function(b){var c;r(a.refreshToPage)||a._seSe(b);a.server_side?
@@ -89,11 +89,11 @@ c)&&a._iSC(c)){if(m("v"+c)||m("v"+c+"___yes"))(b=S.readField("v"+c))?a._sFV("v",
 a.isShowableColumn=function(b,c){var d=a.tuix.columns[b];return c?a.shownColumns[b]&&a._iSC(b):d&&d.title&&!v(d.server_side_only)&&!u._h(k,a,k,b,k,d)&&!a._cHBF(d)};a.getSortedIdsOfTUIXElements=function(b,c,d){return u._gSIOTE(a.tuix,b,c,d)};a.sortArray=function(a,c){return a[1]===c[1]?0:(a[2]?c[2]:!c[2])?a[1]<c[1]?-1:1:a[2]?-1:1};a.dateDays="Sunday Monday Tuesday Wednesday Thursday Friday Saturday".split(" ");a.dateMonths="January Feburary March April May June July August September October November December".split(" ");
 a.checkCondition=function(b){var c,d=a.pi.returnSelectedItems();for(c in d)if(p(d,c)&&(!a.tuix.items[c]||!b(c,a.tuix.items[c])))return!1;return!0};a.columnEqual=function(b,c){return a._cC(function(d){return a._cRV(d,b)==c})};a.columnNotEqual=function(b,c){return a._cC(function(d){return a._cRV(d,b)!=c})};a.columnRawValue=function(b,c){return a.tuix&&a.tuix.columns&&r(a.tuix.columns[c])&&r(a.tuix.items[b])?a.tuix.items[b][c]:""};a.columnValue=function(b,c,d){if(!a.tuix)return"";var e=a.tuix.columns&&
 a.tuix.columns[c]||{},f=a.tuix.items[b][c],f=!1!==f&&r(f)?""+f:"",g=e.item_link,h=!0,s=!1;if(g){var k=!1;switch(g){case "content_item":case "content_item_or_url":var m=a._iL(b),p=a._iP(b);if(!(f&&a.contentItems[m]&&a.contentItems[m][p]&&(k=a.contentItems[m][p].items)&&(k=k[f])))if("content_item_or_url"==g&&f&&"_"!=f.substr(0,1)&&"_"!=f.substr(1,2))k={name:f,frontend_link:f},h=!1;else return"";break;case "menu_item":m=a._iL(b);f&&a.menuItems[m]&&(k=a.menuItems[m].items)&&(k=k[f]);break;default:f&&
-a.otherItemLinks[g]&&(k=a.otherItemLinks[g].items)&&(k=k[f])}if(k){if(d)return k.name;d="";if(a.tuix.items[b].cell_css_classes&&a.tuix.items[b].cell_css_classes[c]&&-1!=(""+a.tuix.items[b].cell_css_classes[c]).indexOf("ghost"))if(d=' style="cursor: default;"',"menu_item"==g)d+=' title="'+t(k.name)+'|"';else{if("content_item"==g||"content_item_or_url"==g)d+=' title="'+t(k.name)+'|"'}else if(h&&!l.zenarioONotFull?(c="",e=a.shallowLinks[g]||g,d=k.navigation_path?k.navigation_path:a.shallowLinks[g]?a.shallowLinks[g]+
-"//"+f:g+"//"+f,a.shallowLinks[g]&&(c=", name: 'following_item_link', languageId: '"+t(a._iL(b))+"'"),d=' href="organizer.php#'+t(d)+'" onclick="zenarioO._dAI();var selectedItems = {};selectedItems[\''+t(b)+"'] = true;zenarioO.pi.cmsSetsSelectedItems(selectedItems);zenarioO._sH();zenarioO.go('"+t(e)+"', true, {id: '"+t(f)+"'"+c+"}, undefined, undefined, undefined, undefined, '"+t(f)+"');return zenario._st(event);\""):k.navigation_path?d=' href="'+M+"zenario/admin/organizer.php#/"+t(k.navigation_path)+
-'" target="_blank"':(h=!1,k.frontend_link&&(s=!0,d=' href="'+t(w._aBP(k.frontend_link))+'" target="_blank"')),h)if("menu_item"==g)d+=' title="'+t(k.name)+"|"+y.clkToViewLinkedMenuNode+'"';else{if("content_item"==g||"content_item_or_url"==g)d+=' title="'+t(k.name)+"|"+y.clkToViewLinkedCItem+'"'}else s&&(d+=' title="'+t(k.name)+"|"+y.clkToViewLinkInNewWindow+'"');switch(g){case "content_item":case "content_item_or_url":b=k.name;break;case "menu_item":b=t(k.name);h=b.r(/.*?\-\&gt\; /g,"-&gt; ");h==b&&
-(h=b.r(/.*?\: /g,""));b=h;break;default:b=q._fOIN(a.otherItemLinks[g],f)}return u._mT("zenario_organizer_item_link",{item:k,item_link:g,itemName:b,href:d,panel:a.otherItemLinks[g],value:f})}}if(e.format||e.empty_value)f=q._fSIF(f,e);g=e.length_limit&&f.length>e.length_limit;return d?g?f.substr(0,e.length_limit)+"...":f:g?'<span class="tooltip" title="'+t(f)+'">'+t(f.substr(0,e.length_limit))+"...</span>":t(f)};a.rowCssClass=function(b){b=a.tuix.items[b]||{};return b.row_class||b.row_css_class||""};
-a.columnCssClass=function(b,c){var d="",e=a.tuix.columns[b],f=r(c)&&a.tuix.items[c];e&&e.css_class&&(d+=" "+e.css_class);f&&f.cell_css_classes&&f.cell_css_classes[b]&&(d+=" "+f.cell_css_classes[b]);f&&f[b]&&e&&e.values&&e.values[f[b]]&&e.values[f[b]].css_class&&(d+=" "+e.values[f[b]].css_class);return d};a.setBackButton=function(){var b,c="",d=a._gBBT(-1,!0),e={buttons:[]};if(d&&0!=d.length){m("organizer_branding_title").style.display="none";m("organizer_backButton").style.display="block";for(b in d)p(d,
+a.otherItemLinks[g]&&(k=a.otherItemLinks[g].items)&&(k=k[f])}if(k){if(d)return k.name;d="";if(a.tuix.items[b].cell_css_classes&&a.tuix.items[b].cell_css_classes[c]&&-1!=(""+a.tuix.items[b].cell_css_classes[c]).indexOf("ghost"))if(d=' style="cursor: default;"',"menu_item"==g)d+=' title="'+t(t(k.name))+'|"';else{if("content_item"==g||"content_item_or_url"==g)d+=' title="'+t(t(k.name))+'|"'}else if(h&&!l.zenarioONotFull?(c="",e=a.shallowLinks[g]||g,d=k.navigation_path?k.navigation_path:a.shallowLinks[g]?
+a.shallowLinks[g]+"//"+f:g+"//"+f,a.shallowLinks[g]&&(c=", name: 'following_item_link', languageId: '"+t(a._iL(b))+"'"),d=' href="organizer.php#'+t(d)+'" onclick="zenarioO._dAI();var selectedItems = {};selectedItems[\''+t(b)+"'] = true;zenarioO.pi.cmsSetsSelectedItems(selectedItems);zenarioO._sH();zenarioO.go('"+t(e)+"', true, {id: '"+t(f)+"'"+c+"}, undefined, undefined, undefined, undefined, '"+t(f)+"');return zenario._st(event);\""):k.navigation_path?d=' href="'+M+"zenario/admin/organizer.php#/"+
+t(k.navigation_path)+'" target="_blank"':(h=!1,k.frontend_link&&(s=!0,d=' href="'+t(w._aBP(k.frontend_link))+'" target="_blank"')),h)if("menu_item"==g)d+=' title="'+t(t(k.name))+"|"+y.clkToViewLinkedMenuNode+'"';else{if("content_item"==g||"content_item_or_url"==g)d+=' title="'+t(t(k.name))+"|"+y.clkToViewLinkedCItem+'"'}else s&&(d+=' title="'+t(t(k.name))+"|"+y.clkToViewLinkInNewWindow+'"');switch(g){case "content_item":case "content_item_or_url":b=t(k.name);break;case "menu_item":b=t(k.name);h=b.r(/.*?\-\&gt\; /g,
+"-&gt; ");h==b&&(h=b.r(/.*?\: /g,""));b=h;break;default:b=q._fOIN(a.otherItemLinks[g],f)}return u._mT("zenario_organizer_item_link",{item:k,item_link:g,itemName:b,href:d,panel:a.otherItemLinks[g],value:f})}}if(e.format||e.empty_value)f=q._fSIF(f,e);g=e.length_limit&&f.length>e.length_limit;return d?g?f.substr(0,e.length_limit)+"...":f:g?'<span class="tooltip" title="'+t(f)+'">'+t(f.substr(0,e.length_limit))+"...</span>":t(f)};a.rowCssClass=function(b){b=a.tuix.items[b]||{};return b.row_class||b.row_css_class||
+""};a.columnCssClass=function(b,c){var d="",e=a.tuix.columns[b],f=r(c)&&a.tuix.items[c];e&&e.css_class&&(d+=" "+e.css_class);f&&f.cell_css_classes&&f.cell_css_classes[b]&&(d+=" "+f.cell_css_classes[b]);f&&f[b]&&e&&e.values&&e.values[f[b]]&&e.values[f[b]].css_class&&(d+=" "+e.values[f[b]].css_class);return d};a.setBackButton=function(){var b,c="",d=a._gBBT(-1,!0),e={buttons:[]};if(d&&0!=d.length){m("organizer_branding_title").style.display="none";m("organizer_backButton").style.display="block";for(b in d)p(d,
 b)&&(e.buttons[b]={orderAsc:b+1,orderDesc:d.length-b,title:d[b]});c=u._mT("zenario_organizer_back_buttons",e)}else m("organizer_branding_title").style.display="block",m("organizer_backButton").style.display="none";m("organizer_backButton").innerHTML=c;q._to("#organizer_backButton *[title]");q._sTITL(".organizer_lastBackButton a",k,q.tooltipLengthThresholds.organizerBackButton)};a.getBackButtonTitle=function(b,c){return a._gFLP(a.branches.length-1,a.path,"title",!1,b,c)};a.getSelectedItemFromLastPanel=
 function(b){var c,d=!1;(panelInstance=a._gFLP(a.branches.length-1,a.path,"panel_instances",!0))&&(panelInstance=panelInstance[b])&&(d=panelInstance.returnSelectedItems());if(d)for(c in d)if(p(d,c))return c;return!1};a.getFromLastPanel=function(b,c,d,e,f,g,h,k){if(!a.tuix||!a.path)return!1;var m=!1,p,q=!1,u=!1;r(f)||(f=1);r(h)||(h={});r(h.path)||(h.path=c);r(h.pops)||(h.pops=0);if(0===b&&-1==c.indexOf("/")||"no_return"!=d&&(v(a._gFLP(b,c,"no_return"))||0===b&&!a.tuix.back_link||2>b&&a.currentTopLevelPathHasRefiner))return!1;
 if(0<b&&c==a.branches[b].to){if(l.zenarioONotFull&&l.zenarioOMinPath&&c==l.zenarioOMinPath&&(l.zenarioODisallowRefinersLoopingOnMinPath||a.branches[b].from!=c))return!1;if(a.branches[b-1].bypasses[a.branches[b].from]&&a.knownBranches[a.branches[b].from]&&a.knownBranches[a.branches[b].from][a.branches[b].to]&&a.knownBranches[a.branches[b].from][a.branches[b].to][a.branches[b].refiners[a.branches[b].to]?a.branches[b].refiners[a.branches[b].to].name:1]&&"item"==a.knownBranches[a.branches[b].from][a.branches[b].to][a.branches[b].refiners[a.branches[b].to]?

zenario/modules/zenario_forum/module_code.php+3 −1 modified

@@ -466,7 +466,9 @@ protected function manageUploads($postId){
 				$filesToUpload = &$_FILES['filesToUpload'];
 				$files_count = count($filesToUpload['name']);
 				for($i=0; $i < $files_count; ++$i){
-					$this->manageOneUpload($postId, $filesToUpload['tmp_name'][$i], $filesToUpload['name'][$i]);
+					if (empty($filesToUpload['error'][$i])) {
+						$this->manageOneUpload($postId, $filesToUpload['tmp_name'][$i], $filesToUpload['name'][$i]);
+					}
 				}
 			}

zenario/styles/admin_organizer.css+2 −0 modified

@@ -2358,6 +2358,8 @@ div.organizer_pageSize {
 	left:0;
 	margin: 0px auto;
 	padding:0 0 5px;
+	max-height:70vh;
+	overflow-y:auto;
 }
 
 #organizer_quickFilter ul ul li {

zenario/styles/admin_organizer.min.css+4 −3 modified

@@ -198,9 +198,10 @@ body.ie6 #organizer_header #organizer_refreshRightColumn{margin-right:0}body.ie6
 #organizer_quickFilter ul li a{display:block;line-height:24px;padding:0 12px 0 12px;color:black;background-color:#e6e6e6;border:1px solid #d0d0d0;text-decoration:none;-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px;margin-top:5px}
 #organizer_quickFilter ul li.group_break a{padding:0 2px;background:transparent;border:0}#organizer_quickFilter ul li a span{padding-bottom:20px}#organizer_quickFilter ul ul,#organizer_quickFilter ul ul li a{height:auto}
 #organizer_quickFilter ul ul li a{float:none;line-height:18px;border:0;margin:0;padding:3px 5px 4px}#organizer_quickFilter ul li li a span{padding-bottom:0}
-#organizer_quickFilter ul ul{width:200px;z-index:90 !important;position:absolute;top:38px;left:0;margin:0 auto;padding:0 0 5px}#organizer_quickFilter ul ul li{padding:0;border-top:1px solid #747474;border-bottom:1px solid #000;margin:0 5px}
-#organizer_quickFilter ul ul li:first-child{border-top:0}#organizer_quickFilter ul ul li:last-child{border-bottom:0}#organizer_quickFilter ul li ul li ul{top:0;left:100%}
-#organizer_quickFilter ul ul,#organizer_quickFilter ul li:hover ul ul{display:none}#organizer_quickFilter ul li:hover ul{display:block}#organizer_quickFilter ul ul{background:#333;border:1px solid #333;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-webkit-box-shadow:0 0 3px 0 #d6d6d6;box-shadow:0 0 3px 0 #d6d6d6}
+#organizer_quickFilter ul ul{width:200px;z-index:90 !important;position:absolute;top:38px;left:0;margin:0 auto;padding:0 0 5px;max-height:70vh;overflow-y:auto}
+#organizer_quickFilter ul ul li{padding:0;border-top:1px solid #747474;border-bottom:1px solid #000;margin:0 5px}#organizer_quickFilter ul ul li:first-child{border-top:0}
+#organizer_quickFilter ul ul li:last-child{border-bottom:0}#organizer_quickFilter ul li ul li ul{top:0;left:100%}#organizer_quickFilter ul ul,#organizer_quickFilter ul li:hover ul ul{display:none}
+#organizer_quickFilter ul li:hover ul{display:block}#organizer_quickFilter ul ul{background:#333;border:1px solid #333;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-webkit-box-shadow:0 0 3px 0 #d6d6d6;box-shadow:0 0 3px 0 #d6d6d6}
 #organizer_quickFilter ul ul:after{border-color:#333 transparent;border-style:solid;border-width:0 8px 8px;bottom:100%;content:"";height:0;position:absolute;left:15px;width:0}
 #organizer_quickFilter ul ul:before{border-color:#333 transparent;border-style:solid;border-width:0 10px 10px;bottom:100%;content:"";height:0;position:absolute;left:13px;width:0}
 #organizer_quickFilter ul li.organizer_button_with_children>a{background:url('../admin/images/icon-arrow-down-dark.svg') no-repeat right center / 8px 8px;line-height:28px;margin-top:3px;padding-right:25px}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f92p-f8r2-c87qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36608ghsaADVISORY
github.com/TribalSystems/Zenario/commit/dfd0afacb26c3682a847bea7b49ea440b63f3baaghsaWEB
vuldb.comghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000