Joomla has released a critical security update to address multiple Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities, if left unpatched, could allow attackers to execute malicious code on affected Joomla websites, potentially leading to Remote Code Execution (RCE).
Understanding the Vulnerabilities
- XSS (Cross-Site Scripting): This type of vulnerability enables attackers to inject malicious scripts into otherwise trusted websites. These scripts can then be executed by unsuspecting visitors’ browsers.
- RCE (Remote Code Execution): If attackers can leverage XSS flaws for RCE, they could potentially gain remote control of a vulnerable website, leading to data theft, defacement, or further malicious activity.
- CVE-2024-21722: The MFA management features did not properly termine existing user sessions when a user’s MFA methods have been modified.
- CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect.
- CVE-2024-21724: Inadequate input validation for media selection fields lead to cross-site scripting (XSS) vulnerabilities in various extensions.
- CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components
- CVE-2024-21726: Inadequate content filtering within the filter code leading to multiple XSS
Joomla’s advisory notes that CVE-2024-21725 is the vulnerability with the highest severity risk and has a high exploitation probability.
The vulnerabilities have been fixed in Joomla versions 4.4.3 and 5.0.3. All websites running older versions of Joomla are strongly urged to update immediately. Instructions for updating can be found on the Joomla website.
