CVE-2019-16725

Root

Cause

In Joomla! 3.x versions 3.0.0 through 3.9.11, the logo parameter of default templates is not properly escaped before being rendered in the browser. This missing output sanitization allows an attacker to inject arbitrary HTML and JavaScript into pages that use the vulnerable template [1][3].

Exploitation

To exploit this vulnerability, an attacker needs to have the ability to modify the logo parameter—typically a site administrator who can change template settings. The attack is a stored (persistent) cross-site scripting (XSS), because the injected payload is stored in the site configuration and executed every time a page using the default template is loaded. The vector is the logo parameter, which is accepted without proper escaping [3].

Impact

An authenticated attacker with sufficient privileges can inject malicious scripts that execute in the browsers of other administrators or site visitors. This can lead to session hijacking, defacement, or exfiltration of sensitive data. The vulnerability is rated as moderate impact with low severity on the Joomla! Security Centre scale [3].

Mitigation

Joomla! released version 3.9.12 on September 24, 2019, which fixes the escaping issue. All sites running Joomla! CMS 3.0.0 through 3.9.11 should upgrade immediately. No workarounds are mentioned in the advisories; the only recommended solution is to apply the patch [2][3].