Testimonial Ku 2.0 Admin Panel Persistent XSS

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email".

Fake Submission<script>alert(document.cookie)</script>

Now, when an administrator views the latest submissions, the script will execute with that admin's permissions.