Joomla CMS releases patches for several XSS vulnerabilities
Take action: If you are using Joomla CMS, consider upgrading to 5.0.3/4.4.3. The XSS exploits are not immediate and it requires that a Joomla Admin clicks on a malicious link for the attack to be possible. Yet a lot of platforms have already been successfully compromised with this exact Admin attack vector.
Learn More
The Sonar Vulnerability Research Team, has identified a several XSS security flaws within Joomla, a widely-used open-source Content Management System (CMS).
The significant flaw is present in Joomla’s core filter component and is tracked as CVE-2024-21726. Due to Joomla's significant presence on the internet—powering approximately 2% of all websites globally, translating to millions of active deployments—this vulnerability needs attention.
Update - Joomla is warning about several vulnerabilities within the same vulnerable versions:
- CVE-2024-21722: The MFA management features did not properly termine existing user sessions when a user's MFA methods have been modified.
- CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect.
- CVE-2024-21724: Inadequate input validation for media selection fields lead to cross-site scripting (XSS) vulnerabilities in various extensions.
- CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components
- CVE-2024-21726: Inadequate content filtering within the filter code leading to multiple XSS
Joomla's advisory notes that CVE-2024-21725 is the vulnerability with the highest severity risk and has a high exploitation probability.
This vulnerability exposes Joomla to multiple Cross-Site Scripting (XSS) attacks, affecting versions 5.0.2/4.4.2 and below. The XSS vulnerabilities could allow attackers to execute remote code (RCE) by deceiving an administrator into interacting with a malicious link.
The updated versions, Joomla 5.0.3/4.4.3, are the first releases that mitigate this risk. Users are urged to upgrade immediately to protect against exploitation.
