Joomla JCE Component Security Bypass and Cross-Site Scripting Vulnerabilities

Summary

JCE Comment component for Joomla! is prone to a security-bypass vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

Credit:

The information has been provided by Jon Butler.
The original article can be found at: http://www.securityfocus.com/bid/53630


Details

Vulnerable Systems:
 * Joomla JCE 2.1

Non Vulnerable Systems:
 *Joomla JCE 2.1.3

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Vendor Status:
Joomla JCE had issued an update for this vulnerability

Patch Availability:
http://www.joomlacontenteditor.net/news/item/jce-213-released?category_id=32

Disclosure Timeline:
Initial Release: May 21 2012

Categories: News