CVE-2023-54360

Vulnerability Overview CVE-2023-54360 describes a reflected cross-site scripting (XSS) vulnerability in the Joomla extension JLex Review version 6.0.1 [1]. The issue originates from improper neutralization of user input within the review_id URL parameter [2]. This allows an attacker to inject arbitrary JavaScript code into the page output.

Exploitation The vulnerability can be triggered by crafting a malicious URL that includes a JavaScript payload in the review_id parameter. An example payload from an exploit proof-of-concept uses an event handler and style attributes to execute code when the victim hovers over the page [3]. No authentication is required, and the attack is performed through social engineering, such as sending the link via email or instant messaging.

Impact If a victim clicks the crafted link, the injected script executes within their browser session. This can lead to session hijacking, credential theft, or other actions performed in the context of the affected web application [2]. The CVSS v3 score is 6.1 (Medium), indicating moderate severity.

Mitigation The vulnerability affects JLex Review version 6.0.1. Users should check for updates from the vendor JLexArt [4] or consider disabling the extension until a patch is applied. The exploit has been publicly disclosed, increasing the risk of active exploitation.