oss-sec mailing list archives
CVE Rejection Request: CVE-2014-7983 Joomla com_contact Persistent XSS
From: Egidio Romano <n0b0d13s () gmail com>
Date: Mon, 13 Oct 2014 21:20:24 +0200
Hello, I believe this CVE [1] should be rejected for the following reason: the vulnerable parameter (jform[contact_email]) [2] is "persistent" only within a session variable, which happens within the ContactControllerContact::submit() method, where the data submitted to the contact form is stored inside the "com_contact.contact.data" session variable [3] through the JApplication::setUserState() method [4]. This means that a potential attacker can be able to execute evil JavaScript/HTML code only within its own session, not affecting the security of other Joomla! users or website visitors. Even though the same "issue" might be exploited as a reflected XSS vulnerability, in my view it still cannot be considered a security threat because, in order to do that, the attacker needs to know the session token of the victim user, since the ContactControllerContact::submit() method calls the JSession::checkToken() method [5] to prevent cross-site request forgeries (CSRF). Please let me know if you believe I'm wrong or I'm missing something. Thank you. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7983 [2] http://hauntit.blogspot.it/2014/03/en-joomla-322-pre-auth-persistent-xss.html [3] https://github.com/joomla/joomla-cms/blob/3.2.2/components/com_contact/controllers/contact.php#L86 [4] http://docs.joomla.org/How_to_use_user_state_variables [5] https://github.com/joomla/joomla-cms/blob/3.2.2/components/com_contact/controllers/contact.php#L26 Best regards, Egidio
Current thread:
- CVE Rejection Request: CVE-2014-7983 Joomla com_contact Persistent XSS Egidio Romano (Oct 13)