Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-26039

Date: July 7, 2021

Overview

In Joomla CMS, versions 3.7.0 through 3.9.27 are vulnerable to stored Cross-Site Scripting (XSS) due to an unescaped parameter in the image title in the images list view in com_media. A highly-privileged attacker can insert an image with a malicious name to trigger arbitrary javascript code on the browser when rendering the view.

Details

The `imagesList` view of the `com_media` component in the `isis` administrator template is vulnerable to XSS, as it does not escape the title parameter of the images in the list. Thus, a specially crafted image name can be assigned to an existing or a new image in the joomla directory, containing javascript code which will be run by the browser when the page renders. Vulnerable endpoint is: http://localhost/joomla/administrator/index.php?option=com_media&view=imagesList, Consequently affecting the following endpoints, using the first as an iframe: http://localhost/joomla/administrator/index.php?option=com_media&view=images, http://localhost/joomla/administrator/index.php?option=com_newsfeeds&view=newsfeed&layout=edit, http://localhost/joomla/administrator/index.php?option=com_content&view=article&layout=edit, http://localhost/joomla/administrator/index.php?option=com_tags&view=tag&layout=edit

PoC Details

Create a png file with the given name in the section below in the ‘/var/www/html/joomla/images’ folder. You can simply create it using the command given in the section below:
Login as administrator to the Joomla website, and visit one of these endpoints:
http://localhost/joomla/administrator/index.php?option=com_media&view=imagesList,
http://localhost/joomla/administrator/index.php?option=com_media&view=images.
See the payload getting triggered
Alternatively, enter one of these endpoints:
http://localhost/joomla/administrator/index.php?option=com_newsfeeds&view=newsfeed&layout=edit,
http://localhost/joomla/administrator/index.php?option=com_content&view=article&layout=edit,
http://localhost/joomla/administrator/index.php?option=com_tags&view=tag&layout=edit.
Now in the edit layout page of either of the components (newsfeed, article, tag), click on the `Select` button to browse the images in the folder.
Now notice the payload getting triggered.

PoC Code

// name of the image:
powered_by.png” onload=alert(“xss”) “.png

// command to create the image:
Convert -size 32x32 -xc:white ‘powered_by.png” onload=alert(“xss”) “.png’

Affected Environments

3.7.0 through 3.9.27

Prevention

Upgrade to version 3.9.28 or later

Language: PHP

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version 3.9.28

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2021-26039
https://github.com/joomla/joomla-cms/commit/87ed5678dbb3d1a3829d638dff53653d88e07513
https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html
https://www.mend.io/vulnerability-database/CVE-2021-26039