The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email".
Now, when an administrator views the latest submissions, the script will execute with that admin's permissions.
- Vulnerabilities Discovered: 31 July 2009
- Vendor Notified: 31 July 2009
- Vendor Response: ... 2009
- Update Available: ... 2009
- Disclosure: 17 September 2009