CVE-2023-54364

Vulnerability

Overview

CVE-2023-54364 describes a reflected cross-site scripting (XSS) vulnerability in Joomla HikaShop version 4.7.4. The root cause is insufficient sanitization of user-supplied input passed to the from_option, from_ctrl, from_task, and from_itemid GET parameters within the product filter endpoint (/index.php?option=com_hikashop&ctrl=product&task=filter). This allows an attacker to inject arbitrary JavaScript code that is reflected back to the victim's browser without proper encoding or validation [2][4].

Exploitation

Details

The vulnerability can be exploited by an unauthenticated attacker who crafts a malicious URL containing an XSS payload in one of the vulnerable parameters. The attacker then delivers this URL to a victim via email, instant message, or other means. When the victim clicks the link, the injected script executes in the context of the vulnerable site. Proof-of-concept URLs have been published, demonstrating payloads that trigger on mouseover events or other user interactions [2]. No authentication or special privileges are required to trigger the reflection.

Impact

Successful exploitation allows the attacker to perform a wide range of malicious actions, including stealing the victim's session tokens or login credentials, defacing the page, or redirecting the user to a phishing site. Because the script runs in the security context of the Joomla site, it can access cookies, local storage, and perform actions on behalf of the authenticated user if the victim is logged in [2][4].

Mitigation

Status

As of the publication date, no official patch has been confirmed for this vulnerability. Users are advised to apply input validation and output encoding on the affected parameters, or to upgrade to a newer version of HikaShop if a security update becomes available. The vendor's website does not mention a fix, and the exploit has been publicly disclosed [2][4].