Vulnerability DatabaseCVE-2024-40748

CVE-2024-40748:
Joomla vulnerability analysis and mitigation

Overview

A cross-site scripting (XSS) vulnerability was discovered in Joomla! CMS affecting versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, and 5.0.0-5.2.2. The vulnerability was reported on September 19, 2024, and fixed on January 7, 2025. The issue stems from a lack of output escaping in the id attribute of menu lists (Joomla Security).

Technical details

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-site Scripting. The severity is rated as moderate with a low probability of exploitation. CISA-ADP has assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD Database).

Impact

The vulnerability could potentially allow attackers to execute malicious scripts in the context of the affected Joomla website, potentially leading to unauthorized access to sensitive information or manipulation of web content (Joomla Security).

Mitigation and workarounds

The vulnerability has been patched in Joomla versions 3.10.20-elts, 4.4.10, and 5.2.3. Users are advised to upgrade to these versions or later to mitigate the vulnerability (Joomla Security).