Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Oct 2014 21:20:24 +0200
From: Egidio Romano <>
Subject: CVE Rejection Request: CVE-2014-7983 Joomla com_contact Persistent XSS


I believe this CVE [1] should be rejected for the following reason: the
vulnerable parameter (jform[contact_email]) [2] is "persistent" only within
a session variable, which happens within the ContactControllerContact::submit()
method, where the data submitted to the contact form is stored inside the
"" session variable [3] through the
JApplication::setUserState() method [4]. This means that a potential
attacker can be able to execute evil JavaScript/HTML code only within its
own session, not affecting the security of other Joomla! users or website
visitors. Even though the same "issue" might be exploited as a reflected
XSS vulnerability, in my view it still cannot be considered a security
threat because, in order to do that, the attacker needs to know the session
token of the victim user, since the ContactControllerContact::submit()
method calls the JSession::checkToken() method [5] to prevent cross-site
request forgeries (CSRF).

Please let me know if you believe I'm wrong or I'm missing something. Thank


Best regards,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ