Overview
In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
Details
The default templates of Joomla! index.php page do not properly escape the file name of the logo png file when rendered. An authenticated attacker could use this to insert a png file with a malicious name, thus executing arbitrary javascript code in a victim's browser.
PoC Details
Make sure the Joomla instance is up and running. On a browser, go to the `joomla/administrator/index.php` endpoint and login as admin. On the toolbar at the top of the page click on `Extensions`, `Templates`. Click on the `protostar - Default` template from the list (should be starred as default. If not, star it as default). Go to the `Advanced` tab. Through a terminal, create a file with the below given name, in the `<joomla dir>/images` directory. Go back to the Joomla site, click on the `Select` button next to the `Logo` option. Choose the file just created and click on `Insert`. To finish, click on `Save & Close`. Now visit the `joomla/index.php` endpoint and notice the payload getting executed.
PoC Code
joomla_black.png" onload=alert(document.cookie) onmouseover=".png
Affected Environments
3.0.0-3.9.11
Prevention
Upgrade to Joomla! 3.9.12