CVE-2025-54295

CVE-2025-54295 is a reflected cross-site scripting (XSS) vulnerability found in the DJ-Reviews component for Joomla, affecting versions 1.0 through 1.3.6. The flaw resides in improper sanitization of user-supplied input, allowing an attacker to inject arbitrary JavaScript or HTML into a page that is then echoed back without proper encoding. This is a classic case of reflected XSS, where the malicious payload is part of the request (e.g., in a URL parameter) and is immediately reflected in the server's response.

An attacker can exploit this vulnerability by crafting a specially constructed link containing the XSS payload and convincing a target user to click on it. The attack does not require authentication because the vulnerable parameter is processed before any privilege checks; the victim merely needs to be using a browser that visits the crafted URL. The prerequisite is that the Joomla site must be running the DJ-Reviews component in one of the vulnerable versions, and the victim must be logged into a session (though the XSS will execute regardless of login status).

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser on the vulnerable site. This can lead to session hijacking, defacement, or redirection to malicious sites. The impact is elevated because Joomla sites often host user-provided content or have administrative interfaces; a transient script execution could leak session cookies or perform administrative actions on behalf of the victim if they are logged in with sufficient privileges.

As of the CVE publication date (2025-07-23), users are advised to upgrade to a patched version above 1.3.6, as the vendor (DJ-Extensions) has likely addressed the issue in a subsequent release. Site administrators should also consider reviewing the component's permission settings and applying web application firewall rules to filter malicious query strings as a temporary workaround.

References - [1] DJ-Extensions home page (general vendor site)