Joomla XSS Bugs Open Millions of Websites to RCE

The Joomla open source content management system (CMS) is vulnerable to multiple cross-site scripting (XSS) security vulnerabilities that could allow remote code execution (RCE).

Sonar's Vulnerability Research Team discovered that one fundamental flaw, tracked as CVE-2024-21726, is at the heart of the issues. It affects Joomla's core filter component.

"Inadequate content filtering leads to XSS vulnerabilities in various components," according to Joomla's advisory, which called the bug "moderate" but did not include a CVSS vulnerability-severity score.

Cyberattackers can exploit XSS bugs to inject malicious scripts into benign and trusted websites, which can in turn steal visitor information, perform malicious redirects, or infect users with malware. In this case, assailants can trigger the issues by convincing an administrator to click on a malicious link.

Joomla powers around 2% of all websites, with most deployments publicly accessible — making it an ongoing target for threat actors. The issue is patched in Joomla versions 5.0.3/4.4.3, released today, so users should update ASAP to avoid falling prey to attackers.