---------------------------------------------------------------------------------------------- Joomseller "Events Booking Pro" and "JSE Event" reflected XSS ---------------------------------------------------------------------------------------------- [+] Software Link: http://www.joomseller.com/joomla-components/jse-event.html [+] Affected Versions: Component com_events_booking_v5 Component com_jse_event < 1.0.1 [+] Vulnerability Description: The vulnerable files are the following: .- For JSE Event: /modules/mod_jse_mini_calendar/tmpl/tootip.php .-For Events Booking pro: /modules/mod_eb_v5_mini_calendar/tmpl/tootip.php The "info" parameter is not correctly sanitized before being used, allowing an attacker to perform XSS attacks. As a proof of concept, an attacker could perform the following request: http://example.com/modules/mod_eb_v5_mini_calendar/tmpl/tootip.php?info=eyJldmVudHMiOiIoMTU6MDA6MDApIDxzY3JpcHQ%2BYWxlcnQoMSk7PC9zY3JpcHQ%2BIiwgImV2ZW50X2lkIjoiNjQiLCAiaXRlbWlkIjoiMSIsICJldnJfaWQiOiIxMTkxIn0%3D where the contents of the info parameter is the following payload encoded using base64 encoding {"events":"(15:00:00) <script>alert(1);</script>", "event_id":"64", "itemid":"1", "evr_id":"1191"} [+] Solution: Upgrade to JSE Event version 1.0.1. [+] Report Timeline: [30/07/2013] - Vulnerability reported to the vendor [30/07/2013] - Developer confirm vulnerability and update released [05/08/2013] - Public disclosure [+] Credits: Vulnerability discovered by Gaston Traberg.