-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability occurs in Joomla's default templates (e.g., protostar) where the logo parameter is dynamically inserted into HTML without adequate escaping. The template files use $this->params->get('logo') to fetch the parameter and output it directly via echo, enabling XSS if the value contains malicious scripts. The lack of escaping for HTML attributes/context (e.g., missing htmlspecialchars with ENT_QUOTES) is the critical flaw. This pattern is consistent with the described CWE-79 and the advisory's focus on template-level escaping failures.
PHPPHPOngoing coverage of React2Shell
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| joomla/joomla-cms | composer | >= 3.0.0, < 3.9.12 | 3.9.12 |