Monday, 20 September 2010 12:51
I disagree. The exploit is entered on the frontend comment form, using only the credentials necessary to post a comment - hardly a "trusted" position. The fact that you have to be admin to trigger the exploit makes it more dangerous than usual - executing arbitrary code as admin means I can load up a hidden iframe, install my own php code, etc.
 
This is a comment on "K2 2.3 Persistent XSS Vulnerability"

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions