|
Description
|
|
High-Tech Bridge SA has discovered a vulnerability in the JComments component for Joomla, which can be exploited by malicious users to conduct script insertion attacks.
Input passed via the "name" parameter to administrator/index.php (when "option" is set to "com_jcomments", "task" is set to "edit", "hiddenmenu" is set to "1", and "cid" is set to a valid comment id) when editing a comment is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation requires "Public Back-end" permissions.
The vulnerability is confirmed in version 2.1.0.0. Other versions may also be affected.
|
