BID:104270

Joomla! Core CVE-2018-11326 Multiple Cross Site Scripting Vulnerabilities

CVE-2018-11326 |

Info

Joomla! Core CVE-2018-11326 Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	104270
Class:	Input Validation Error
CVE:	CVE-2018-11326
Remote:	Yes
Local:	No
Published:	May 22 2018 12:00AM
Updated:	May 22 2018 12:00AM
Credit:	Kai Zhao of 3H Security Team & Zhouyuan Yang (FortiGuard Labs)
Vulnerable:	Joomla Joomla! 3.8.7 Joomla Joomla! 3.8.6 Joomla Joomla! 3.8.5 Joomla Joomla! 3.8.4 Joomla Joomla! 3.8.3 Joomla Joomla! 3.8.2 Joomla Joomla! 3.8.1 Joomla Joomla! 3.7.3 Joomla Joomla! 3.7.2 Joomla Joomla! 3.7.1 Joomla Joomla! 3.7 Joomla Joomla! 3.6.5 Joomla Joomla! 3.5 Joomla Joomla! 3.4.7 Joomla Joomla! 3.4.6 Joomla Joomla! 3.4.4 Joomla Joomla! 3.4.3 Joomla Joomla! 3.4.2 Joomla Joomla! 3.4.1 Joomla Joomla! 3.4 Joomla Joomla! 3.3.6 Joomla Joomla! 3.3.5 Joomla Joomla! 3.3.4 Joomla Joomla! 3.3.3 Joomla Joomla! 3.3.2 Joomla Joomla! 3.3.1 Joomla Joomla! 3.3 Joomla Joomla! 3.2.6 Joomla Joomla! 3.2.5 Joomla Joomla! 3.2.4 Joomla Joomla! 3.2.3 Joomla Joomla! 3.2.2 Joomla Joomla! 3.2.1 Joomla Joomla! 3.1.6 Joomla Joomla! 3.1.5 Joomla Joomla! 3.1.4 Joomla Joomla! 3.1.1 Joomla Joomla! 3.1 Joomla Joomla! 3.0.4 Joomla Joomla! 3.0.3 Joomla Joomla! 3.0.1 Joomla Joomla! 3.0 Joomla Joomla! 3.8.0 Joomla Joomla! 3.7.5 Joomla Joomla! 3.7.4 Joomla Joomla! 3.6.4 Joomla Joomla! 3.6.3 Joomla Joomla! 3.6.1 Joomla Joomla! 3.6.0 Joomla Joomla! 3.4.5

Not Vulnerable:	Joomla Joomla! 3.8.8

Discussion

Joomla! Core CVE-2018-11326 Multiple Cross Site Scripting Vulnerabilities

Joomla! Core is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Joomla! version 3.0.0 through 3.8.7 are vulnerable.

Exploit / POC

Joomla! Core CVE-2018-11326 Multiple Cross Site Scripting Vulnerabilities

An attacker can exploit these issues by enticing an unsuspecting user to visit a specially crafted URL.

Solution / Fix

Joomla! Core CVE-2018-11326 Multiple Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

Joomla! Core CVE-2018-11326 Multiple Cross Site Scripting Vulnerabilities

References:

Joomla! Homepage (Joomla )
[20180505] - Core - XSS Vulnerabilities & additional hardening (joomla.org)