The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email".
Now, when an administrator views the latest submissions, the script will execute with that admin's permissions.
- Vulnerabilities Discovered: 31 July 2009
- Vendor Notified: 31 July 2009
- Vendor Response: ... 2009
- Update Available: ... 2009
- Disclosure: 17 September 2009
The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.