Joomla! 2.5.x < 2.5.7 Multiple XSS

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server hosts a PHP application that is affected by
multiple cross-site scripting vulnerabilities.

Description :

According to its self-identified version number, the Joomla! install
hosted on the remote web server is affected by multiple cross-site
scripting vulnerabilities:

- Versions 2.5.x up to 2.5.6 fail to properly escape
user-supplied input, which can lead to a cross-site
scripting (XSS) vulnerability via unspecified vectors.
(CVE-2012-4351)

- Versions 2.5.x up to 2.5.6 fail to properly escape
user-supplied input to the language switcher module
(when enabled). This can lead to a cross-site
scripting (XSS) vulnerability.
(CVE-2012-4352)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?611dbe83
http://www.nessus.org/u?25d5b7c5

Solution :

Upgrade to version 2.5.7 or above or apply the referenced patch.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 64438 ()

Bugtraq ID: 54259
55818

CVE ID: CVE-2012-4531
CVE-2012-4532