We found results for “


Date: July 7, 2021


In Joomla CMS, versions 3.7.0 through 3.9.27 are vulnerable to stored Cross-Site Scripting (XSS) due to an unescaped parameter in the image title in the images list view in com_media. A highly-privileged attacker can insert an image with a malicious name to trigger arbitrary javascript code on the browser when rendering the view.


The `imagesList` view of the `com_media` component in the `isis` administrator template is vulnerable to XSS, as it does not escape the title parameter of the images in the list. Thus, a specially crafted image name can be assigned to an existing or a new image in the joomla directory, containing javascript code which will be run by the browser when the page renders. Vulnerable endpoint is: http://localhost/joomla/administrator/index.php?option=com_media&view=imagesList, Consequently affecting the following endpoints, using the first as an iframe: http://localhost/joomla/administrator/index.php?option=com_media&view=images, http://localhost/joomla/administrator/index.php?option=com_newsfeeds&view=newsfeed&layout=edit, http://localhost/joomla/administrator/index.php?option=com_content&view=article&layout=edit, http://localhost/joomla/administrator/index.php?option=com_tags&view=tag&layout=edit

PoC Details

Create a png file with the given name in the section below in the ‘/var/www/html/joomla/images’ folder. You can simply create it using the command given in the section below: Login as administrator to the Joomla website, and visit one of these endpoints: http://localhost/joomla/administrator/index.php?option=com_media&view=imagesList, http://localhost/joomla/administrator/index.php?option=com_media&view=images. See the payload getting triggered Alternatively, enter one of these endpoints: http://localhost/joomla/administrator/index.php?option=com_newsfeeds&view=newsfeed&layout=edit, http://localhost/joomla/administrator/index.php?option=com_content&view=article&layout=edit, http://localhost/joomla/administrator/index.php?option=com_tags&view=tag&layout=edit. Now in the edit layout page of either of the components (newsfeed, article, tag), click on the `Select` button to browse the images in the folder. Now notice the payload getting triggered.

PoC Code

// name of the image:
powered_by.png” onload=alert(“xss”) “.png
// command to create the image:
Convert -size 32x32 -xc:white ‘powered_by.png” onload=alert(“xss”) “.png’

Affected Environments



Upgrade to 3.9.28