icon

We found results for “

CVE-2019-16725

Date: September 25, 2019

Overview

In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.

Details

The default templates of Joomla! index.php page do not properly escape the file name of the logo png file when rendered. An authenticated attacker could use this to insert a png file with a malicious name, thus executing arbitrary javascript code in a victim's browser.

PoC Details

Make sure the Joomla instance is up and running. On a browser, go to the `joomla/administrator/index.php` endpoint and login as admin. On the toolbar at the top of the page click on `Extensions`, `Templates`. Click on the `protostar - Default` template from the list (should be starred as default. If not, star it as default). Go to the `Advanced` tab. Through a terminal, create a file with the below given name, in the `<joomla dir>/images` directory. Go back to the Joomla site, click on the `Select` button next to the `Logo` option. Choose the file just created and click on `Insert`. To finish, click on `Save & Close`. Now visit the `joomla/index.php` endpoint and notice the payload getting executed.

PoC Code

joomla_black.png" onload=alert(document.cookie) onmouseover=".png

Affected Environments

3.0.0-3.9.11

Prevention

Upgrade to Joomla! 3.9.12

Language: PHP

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version 3.9.12

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: