[20240805] - Core - XSS vectors in Outputfilter::strip* methods

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Moderate
Probability: Low
Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
Exploit type: XSS
Reported Date: 2024-07-22
Fixed Date: 2024-08-20
CVE Number: CVE-2024-40743

Description

The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jesper den Boer