5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
62.6%
High-Tech Bridge Security Research Lab discovered 2 vulnerabilities in MijoSearch Joomla Extension, which can be exploited to gain access to potentially sensitive data and perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.
Cross-site Scripting in MijoSearch: CVE-2013-6878
The vulnerability exists due to insufficient sanitisation of user-supplied data appended to “/component/mijosearch/search” URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The following exploitation example uses the JavaScript alert() function to display “ImmuniWeb” word:
http://[host]/component/mijosearch/search?query=im%22%3E%3Cdiv%20onmouseover =alert%28%22ImmuniWeb%22%29%20style=%22width:100%;height:10000px;z-index:100 %22%3E%3C/div%3E&limit=15&order=relevance&orderdir=desc
Information Exposure Through Externally-generated Error Message in MijoSearch: CVE-2013-6879
The vulnerability exists due to improper implementation of error handling mechanisms in “/component/mijosearch/search” URL. A remote attacker can send a specially crafted HTTP GET request to the vulnerable web application and gain knowledge of full installation path of the application.
The following exploitation example displays a warning message and installation path (if PHP “display_errors” is on)
http://[host]/component/mijosearch/search?query=im%22%3Eimmuniweb&limit=15%2 7%22%3Cb%3Eimmuniweb&order=relevance%27%22%3Cb%3Eimmuniweb&orderdir=desc%27% 22%3Cb%3Eimmuniweb
CPE | Name | Operator | Version |
---|---|---|---|
mijosearch | le | 2.0.1 |
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
62.6%