VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026

CVE-2023-54363

CVE-2023-54363

Description

Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joomla Solidres 2.13.3 has a reflected XSS vulnerability in multiple GET parameters, allowing unauthenticated attackers to inject scripts via crafted URLs.

Vulnerability

Overview

CVE-2023-54363 describes a reflected cross-site scripting (XSS) vulnerability in Joomla Solidres version 2.13.3, a hotel and tour booking extension for Joomla CMS [1][2]. The vulnerability stems from insufficient sanitization of user-supplied input in multiple GET parameters, including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. An attacker can embed arbitrary JavaScript payloads into these parameters, which are then reflected back to the user's browser without proper encoding or validation [3][4].

Exploitation

Exploitation does not require authentication, making it accessible to any unauthenticated attacker [4]. The attack vector is network-based and relies on social engineering: the attacker crafts a malicious URL containing the XSS payload in one of the vulnerable parameters and delivers it to a victim via email, instant message, or other means [3]. When the victim clicks the link and the page renders, the injected script executes in the context of the victim's session on the Joomla site. Example site [3]. Proof-of-concept URLs have been published, demonstrating injection points in parameters such as show, reviews, type_id, and distance [3].

Impact

Successful exploitation allows the attacker to perform a wide range of malicious actions within the victim's browser session. This includes stealing session tokens or login credentials, manipulating site content, and potentially redirecting the user to malicious sites malicious sites [3][4]. The impact is limited to the victim's interaction with the vulnerable application, but the lack of authentication requirements broadens the potential victim pool.

Mitigation

As of the publication date, users are advised to apply any available patches from the vendor or upgrade to a version where the input sanitization is properly implemented. The vulnerability has been publicly disclosed with exploit details, increasing the risk of active exploitation [3][4]. Administrators should review their Solidres installation and consider implementing web application firewall rules to filter malicious payloads in the identified GET parameters until a patch is applied.

References
  1. Solidres, by Solid Labs - Joomla Extension Directory
  2. A Complete Hotel & Tour Booking Solution for Joomla
  3. OffSec’s Exploit Database Archive
  4. Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.