Governance & Risk Management , Patch Management

Joomla CMS Patches Critical XSS Vulnerabilities

Millions of Websites Potentially at Risk
Joomla CMS Patches Critical XSS Vulnerabilities
Joomla site administrators are urged to patched immediately. (Image: Shutterstock)

Cross-site scripting vulnerabilities in Joomla, a widely used free-source content management system, were fixed in a patch published Tuesday by the open-source project that maintains the software.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

Joomla is used to power roughly 2% of global websites, according to W3Techs, and the flaws potentially expose millions of websites to attacks that can end with remote code execution.

Researchers from SonarSource said a core issue behind the XSS vulnerabilities - there are two - stems from inadequate content filtering within the filter code. Attackers could use the flaw, tracked as CVE-2024-21726, to trick a system administrator into clicking on a malicious link that leads to remote code execution.

"While we won't be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk. We strongly advise all Joomla users to update to the latest version," the company said. Notable users of Joomla are Croatian newspapers Jutarnji List and Slobodna Dalamcija and the website of the Indian national identity authority.

Joomla's core filter component is responsible for filtering and sanitizing user input to ensure security and prevent incidents such as XSS attacks. It helps validate and clean data entered by users to protect the system from potentially harmful input. The component is crucial for maintaining the integrity and security of content within the Joomla content management system.

Joomla said version 5.0.3 of the content management system should mitigate two XSS vulnerabilities as well as additional flaws.

Stefan Schiller, a SonarSource researcher, told Information Security Media Group that the vulnerability allows an attacker to craft a malicious link that injects a JavaScript payload into the website.

"When the attacker tricks an administrator into clicking on this link, the injected JavaScript payload is executed in the context of the administrator. This allows the attacker to gain remote code execution and thus fully compromise the Joomla server," Schiller said.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.