Feeling Lucky
?
[#25405] - XSS com_finder
- Closed
- 2 Jul 2019
- Medium
- Build: staging
- # 25405
Hi,
I have two sites made with Joomla both at hand on 3.9.8. On a site, the Finder field is positive for an XSS attack, here it is:
https://www.isisvirgilio.edu.it/index.php/component/finder/search?q=";alert('XSS');a= "
While the other is not affected by XSS, here is:
http://italiajoo.demoargoweb.com/index.php/component/finder/search?q=";alert('XSS');a= "
Can you give me some tips?
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-07-02 14:20:41 |
| Closed_By | ⇒ | SniperSister |
brianteeman
- comment
- 2 Jul 2019
Joomla is not vulnerable to an XSS attack on the search box of the finder field. You should check your joomlashine template overrides
franz-wohlkoenig
- comment
- 2 Jul 2019
@SniperSister should the opened comment be deleted?
SniperSister
- comment
- 2 Jul 2019
@franz-wohlkoenig all good, the ticket can stay that way
toshidex
- comment
- 2 Jul 2019
Thank you so much for the clarifications and really sorry for writing here.
Advice No: 1 NEVER NEVER NEVER report security issues on public issue trackers, always use the corresponding forms (https://developer.joomla.org/security/contact-the-team.html) to report such issues!
Regarding your issue: apparently it's an issue in 3rd party extension, see https://www.joomlathat.com/support/content-statistics/general/contentstatics-plug-in-is-vulnerable-to-xss
Closing as it is not a Joomla core issue