Joomla 3.1.5 Cross Site Scripting

2013-08-06 / 2014-01-01
Credit: Emilio Pinna
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

============================================================ - Original release date: August 05, 2013 - Discovered by: Emilio Pinna (Application Security Analyst at Abinsula) - Contact: (emilio (dot) pinn (at) gmail (dot) com) - Severity: 4.3/10 (Base CVSS Score) ============================================================ VULNERABILITY ------------------------- Joomla core package <= 3.1.5 includes a PHP script that suffers from reflected XSS vulnerability that allows to inject HTML and malicious scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. Joomla is one of the most installed CMS with dozens of millions of installations. DESCRIPTION ------------------------- Affected file libraries/idna_convert/example.php has different injection points: - Unsanitized lang parameter in line 24 - Unsanitized file name printing on lines 112 and 119 PROOF OF CONCEPT ------------------------- http://localhost/joomla/libraries/idna_convert/example.php?lang="><script>alert(document.cookie);</script><!-- BUSINESS IMPACT ------------------------- As usual, attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session that visits the malicious crafted url. SYSTEMS AFFECTED ------------------------- Joomla-CMS <= 3.1.5 SOLUTION ------------------------- Fixed removing the vulnerable example file on git with commit c00c033d33d901e1ca6be9061a44e55acd041b1f REFERENCES ------------------------- http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/ https://github.com/joomla/joomla-cms/issues/1658 CREDITS ------------------------- Emilio Pinna (emilio (dot) pinn (at) gmail (dot) com) DISCLOSURE TIMELINE ------------------------- August 4, 2013: Opened a ticket describing the bug by Adam Willard. August 5, 2013: Fixed by Michael Babker. August 5, 2013: Vulnerability disclosed by Emilio Pinna. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.

References:

http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/
https://github.com/joomla/joomla-cms/issues/1658


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top