1. Vulnerability Properties

• Title: Cross-Site Scripting in JNews Joomla Component
• CVE ID: CVE-2015-7343
• CVSSv3 Base Score: 6.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
• Vendor: Joobi
• Products: JNews Core
• Advisory Release Date: 28 October 2015
• Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7343
• Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

The Jnews’s Joomla Extension is vulnerable to Reflected Cross-Site Scripting in the mailingsearch parameter.

3. Technical Details

By submiting the following POST request, it is possible to inject javascript code in the server response that will be executed when the page is loaded.

• Request

• Response

• Webpage

This vulnerability can be exploited from the back-end of joomla (/administrator), but it also can be exploited by using a simple Registered account.

4. Vulnerable Versions

• 8.3.1

5. Solution

• Update to 8.5.0

6. Vulnerability Timeline

• September 01, 2015 — Bug reported to Joobi
• September 02, 2015 — Jnews’s team replied asking more info
• September 24, 2015 — Jnews’s team releases a new version
• October 28, 2015 — Public disclosure