CVE-2024-40748
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Joomla allows attackers to inject malicious scripts into menu list ID attributes. When exploited, it enables attackers to steal session cookies, redirect users, or perform actions on behalf of authenticated users. All Joomla installations using affected versions are vulnerable.
💻 Affected Systems
- Joomla CMS
📦 What is this software?
Joomla\! by Joomla
Joomla\! by Joomla
Joomla\! by Joomla
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the Joomla installation, deface websites, install backdoors, or exfiltrate sensitive data.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or perform limited actions based on the victim's permissions.
If Mitigated
With proper output escaping and Content Security Policy (CSP), impact is limited to script execution in isolated contexts without access to sensitive data.
🎯 Exploit Status
Exploitation requires the attacker to have access to create or modify menu items, which typically requires at least author-level permissions. The vulnerability is in the output rendering phase.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Joomla 4.4.5 and 5.0.5
Vendor Advisory: https://developer.joomla.org/security-centre/955-20250102-core-xss-vector-in-the-id-attribute-of-menu-lists.html
Restart Required: No
Instructions:
1. Backup your Joomla installation and database. 2. Log into Joomla administrator panel. 3. Go to System → Update → Joomla. 4. Click 'Check for Updates'. 5. If updates are available, click 'Install the Update'. 6. Verify the update completed successfully.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd a Content Security Policy header to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https:;"
Or configure in web server configuration files
Restrict Menu Editing Permissions
allLimit which user groups can create or edit menu items
1. Go to Users → Groups
2. Review and restrict 'Menu' permissions for non-administrator groups
3. Remove 'Create', 'Edit', and 'Edit State' permissions where not needed
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in ID attributes
- Regularly audit user accounts and remove unnecessary menu editing permissions
🔍 How to Verify
Check if Vulnerable:
Check Joomla version in administrator panel (System → System Information) or by examining the /administrator/manifests/files/joomla.xml file version attribute.Check Version:
Check Joomla version via: grep '<version>' /path/to/joomla/administrator/manifests/files/joomla.xmlVerify Fix Applied:
After updating, verify version shows 4.4.5+ or 5.0.5+ in System Information. Test by attempting to inject script tags in menu ID fields (in a controlled test environment).📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by menu creation/modification
- Unusual menu item creations or modifications from non-administrator accounts
- Log entries showing script tags or JavaScript in menu ID parameters
Network Indicators:
- HTTP requests containing script tags in 'id' parameters of menu-related endpoints
- Unusual outbound connections from Joomla server after menu interactions
SIEM Query:
source="joomla_logs" AND (event="menu_create" OR event="menu_edit") AND (id_param CONTAINS "<script>" OR id_param CONTAINS "javascript:")