CVE-2016-1000121

Vulnerability

The Huge IT Joomla Slider extension version 1.0.9 contains both a reflected cross-site scripting (XSS) vulnerability and multiple SQL injection vulnerabilities. The XSS occurs in /admin/views/slider/tmpl/default.php where the id GET parameter is directly echoed into an anchor tag without sanitization [1]. The SQL injection vulnerabilities are present in /admin/models/slider.php where the id parameter is used unsanitized in SELECT, UPDATE, and DELETE queries [1]. Both require the attacker to be logged in with at least manager-level access to the Joomla administrative panel.

Exploitation

An attacker with manager-level or higher Joomla admin credentials can exploit these vulnerabilities. For XSS, the attacker crafts a malicious URL containing a JavaScript payload in the id parameter and sends it to an admin user; when the victim admin visits the slider management page, the script executes in their browser context. For SQL injection, the attacker directly sends crafted HTTP requests to the Joomla backend with malicious SQL in the id parameter, which is passed to database queries without parameterization [1]. No additional user interaction is required for SQLi beyond having admin access.

Impact

Successful exploitation of the XSS allows an attacker to execute arbitrary JavaScript in the context of the victim admin's session, potentially leading to session hijacking, defacement, or further administrative actions. The SQL injection vulnerabilities allow an attacker to read, modify, or delete arbitrary data in the Joomla database, including user credentials and site content, potentially leading to full site compromise [1]. The impact is limited to authenticated users with administrative privileges, but can escalate to complete control of the Joomla instance.

Mitigation

As of the advisory publication date (2016-10-27), no official patch or updated version was released by Huge IT [1]. Users should consider disabling or removing the extension until a fix is available. Alternatively, implement web application firewall rules to block malicious input to the id parameter in the slider admin pages. The extension may be end-of-life; check for any later versions that address these issues. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.