[#42143] - Reflected XSS All Clients - com_categories
- Closed
- 16 Oct 2023
- Critical
- Build: 1
- # 42143
Steps to reproduce the issue
Removed for security reasons
Expected result
Actual result
System information (as much as possible)
Additional comments
| Labels |
Removed:
?
|
||
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
@rbeins In addition to my previous comment, I don't see that the $extension value somehow goes into the html output. It is only passed to the getAssociations method here https://github.com/joomla/joomla-cms/blob/5.0-dev/administrator/components/com_categories/src/Controller/AjaxController.php#L61 , and that method uses the md5 of the serialization of that value to create a query key here: https://github.com/joomla/joomla-cms/blob/5.0-dev/libraries/src/Language/Associations.php#L63 .
It is not passed to the html output and not saved in database, so I don't see how the described XSS should be possible.
HLeithner
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-10-16 19:31:37 |
| Closed_By | ⇒ | richard67 |
If you have a PoC (proof of concept), send it through the online form mentioned in my comment above. But according to the description you had provided and which we have removed for security reasons I could not see a possible XSS. See also my previous comment.
@rbeins Please check https://github.com/joomla/joomla-cms/security/policy how to report security issues using the online form . Thanks in advance.