[20180602] - Core - XSS vulnerability in language switcher module

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 1.6.0 through 3.8.8
Exploit type: XSS
Reported Date: 2018-May-07
Fixed Date: 2018-June-26
CVE Number: CVE-2018-12711

Description

In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.8.8

Solution

Upgrade to version 3.8.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Borja Lorenzo, Innotecsystem