Thursday, 17 September 2009 00:00

The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email".

Fake Submission<script>alert(document.cookie)</script>

Now, when an administrator views the latest submissions, the script will execute with that admin's permissions.

Timeline

  • Vulnerabilities Discovered: 31 July 2009
  • Vendor Notified: 31 July 2009
  • Vendor Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 17 September 2009
Last Updated on Thursday, 30 September 2010 17:36
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions