We found results for “


Date: September 24, 2019


In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.


The default templates of Joomla! index.php page do not properly escape the file name of the logo png file when rendered. An authenticated attacker could use this to insert a png file with a malicious name, thus executing arbitrary javascript code in a victim's browser.

PoC Details

Make sure the Joomla instance is up and running. On a browser, go to the `joomla/administrator/index.php` endpoint and login as admin. On the toolbar at the top of the page click on `Extensions`, `Templates`. Click on the `protostar - Default` template from the list (should be starred as default. If not, star it as default). Go to the `Advanced` tab. Through a terminal, create a file with the below given name, in the `<joomla dir>/images` directory. Go back to the Joomla site, click on the `Select` button next to the `Logo` option. Choose the file just created and click on `Insert`. To finish, click on `Save & Close`. Now visit the `joomla/index.php` endpoint and notice the payload getting executed.

PoC Code

joomla_black.png" onload=alert(document.cookie) onmouseover=".png

Affected Environments



Upgrade to Joomla! 3.9.12

Language: PHP

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version 3.9.12

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: