Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities
- Sonar’s Vulnerability Research Team has discovered an issue that led to multiple XSS vulnerabilities in the popular Content Management System Joomla. The issue discovered with the help of SonarCloud affects Joomla’s core filter component and is tracked as CVE-2024-21726. Attackers can leverage the issue to gain remote code execution by tricking an administrator into clicking on a malicious link. The underlying PHP bug is an inconsistency in how PHP’s mbstring functions handle invalid multibyte sequences. The bug was fixed with PHP versions 8.3 and 8.4, but not backported to older PHP versions. * Joomla released a security announcement and published version 5.0.3/4.4.3, which mitigates the vulnerability.