Extension - advcomsys.com - XSS in oneVote component for Joomla <= 1.7.0

Vulnerability

The oneVote component for Joomla version 1.7 fails to properly sanitize user input, leading to a stored cross-site scripting vulnerability. The XSS targets non-script elements, meaning the injection occurs in HTML attributes or other contexts where script execution is possible. Affected: oneVote 1.7.

Exploitation

An attacker with the ability to submit input (e.g., via voting forms) can inject malicious JavaScript. The input is stored and later rendered to other users without proper escaping, causing the script to execute in their browsers. No authentication or special privileges are required beyond normal user access to the vulnerable component.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack targets non-script elements, which may bypass some filters.

Mitigation

As of the publication date (July 2023), no official patch has been disclosed in the available references [1]. Users should disable or remove the oneVote component until a fix is released. The extension may be considered vulnerable and should be updated if a newer version becomes available.