Joomla! Q-Personel Component "personel_sira" Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA37897

VERIFY ADVISORY:
http://secunia.com/advisories/37897/

DESCRIPTION:
A vulnerability has been discovered in the Q-Personel component for
Joomla!, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Input passed to the "personel_sira" parameter in index.php (if
"option" is set to "com_qpersonel" and "task" is set to "sirala") is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

The vulnerability is confirmed in version 1.0.2 (RC2). Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Pyske

ORIGINAL ADVISORY:
http://www.exploit-db.com/exploits/10738

RECENT ARTICLE

RECENT POST