============================================================
Joomla core package <= 3.1.5 includes a PHP script that suffers from
reflected XSS vulnerability that allows to inject HTML and malicious
scripts that can access any cookies, session tokens, or other
sensitive information retained by your browser and used with that
site.
Joomla is one of the most installed CMS with dozens of millions of
installations.
Affected file libraries/idna_convert/example.php has different injection points:
As usual, attackers can exploit these weaknesses to execute arbitrary
HTML and script code in a user's browser session that visits the
malicious crafted url.
Joomla-CMS <= 3.1.5
Fixed removing the vulnerable example file on git with commit
c00c033d33d901e1ca6be9061a44e55acd041b1f
http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/
https://github.com/joomla/joomla-cms/issues/1658
Emilio Pinna (emilio (dot) pinn (at) gmail (dot) com)
August 4, 2013: Opened a ticket describing the bug by Adam Willard.
August 5, 2013: Fixed by Michael Babker.
August 5, 2013: Vulnerability disclosed by Emilio Pinna.
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.