CVE-2024-21730 – This CVE describes a self-XSS vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2024-21730?

CVE-2024-21730 has a CVSS score of 5.4 (MEDIUM). This CVE describes a self-XSS vulnerability in Joomla's fancyselect list field layout where user inputs are not properly escaped. It allows attackers to inject malicious scripts that execute in the victim's browser when they interact with the compromised input. This affects Joomla administrators and users who can access the vulnerable field.

📋 TL;DR

This CVE describes a self-XSS vulnerability in Joomla's fancyselect list field layout where user inputs are not properly escaped. It allows attackers to inject malicious scripts that execute in the victim's browser when they interact with the compromised input. This affects Joomla administrators and users who can access the vulnerable field.

💻 Affected Systems

Products:

Joomla CMS

Versions: Joomla 4.4.0 through 4.4.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the fancyselect list field layout component.

📦 What is this software?

Joomla\! by Joomla

View all CVEs affecting Joomla\! →

Joomla\! by Joomla

View all CVEs affecting Joomla\! →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform actions as the administrator, or redirect users to malicious sites.

🟠

Likely Case

Limited impact since it requires user interaction with a specifically crafted input field, typically affecting only the user who interacts with the malicious content.

🟢

If Mitigated

Minimal impact if users follow security best practices and don't interact with suspicious inputs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction with a specifically crafted input field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Joomla 4.4.4

Vendor Advisory: https://developer.joomla.org/security-centre/936-20240702-core-self-xss-in-fancyselect-list-field-layout.html

Restart Required: No

Instructions:

1. Backup your Joomla installation and database. 2. Update to Joomla 4.4.4 via the Joomla Update component in the administrator panel. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Sanitization

all

Implement custom input validation and output escaping for fancyselect list fields.

🧯 If You Can't Patch

Restrict access to administrator panels and implement strict user input validation.
Educate users about the risks of interacting with untrusted inputs in form fields.

🔍 How to Verify

Check if Vulnerable:

Check Joomla version in administrator panel under System → System Information → System Information tab.

Check Version:

Check Joomla version via administrator panel or examine /administrator/manifests/files/joomla.xml

Verify Fix Applied:

Confirm Joomla version is 4.4.4 or later in the administrator panel.

📡 Detection & Monitoring

Log Indicators:

Unusual input patterns in form submissions containing script tags or JavaScript code.

Network Indicators:

None specific to this vulnerability.

SIEM Query:

Search for form submissions containing suspicious script patterns in web application logs.

📊 Metadata

CVE ID: CVE-2024-21730

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 9, 2024

Last Updated: March 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21730, you might also want to check these: