Plattform
joomla
Komponente
joomla
Behoben in
6.0.2
CVE-2023-54360 describes a reflected cross-site scripting (XSS) vulnerability found in Joomla JLex Review version 6.0.1. This vulnerability allows attackers to inject malicious scripts into a user's browser by manipulating the review_id URL parameter. Successful exploitation could lead to session hijacking, credential theft, or other malicious actions. The vulnerability was published on 2026-04-09, and mitigation involves upgrading to a patched version of JLex Review.
The primary impact of CVE-2023-54360 is the potential for attackers to execute arbitrary JavaScript code within the context of a user's browser session. This can be achieved by crafting malicious URLs containing JavaScript payloads and enticing users to click them. Once executed, the attacker can steal session cookies, redirect users to phishing sites, or deface the website. The blast radius extends to any user who interacts with the vulnerable page, particularly those who click on specially crafted links. While the vulnerability is reflected, meaning it requires user interaction, the ease of crafting and distributing malicious links makes it a significant risk, especially on sites with high traffic or user engagement.
The vulnerability is publicly known and documented in the CVE database. As of the publication date (2026-04-09), there is no indication of active exploitation campaigns or inclusion on the CISA KEV catalog. Public proof-of-concept (PoC) code may exist or emerge, increasing the risk of exploitation. The CVSS score of 6.1 (Medium) indicates a moderate level of severity and potential for exploitation.
Websites using Joomla CMS with the JLex Review component installed, particularly those with user-generated content or review systems, are at risk. Sites with weak input validation or inadequate security practices are especially vulnerable. Shared hosting environments where multiple websites share the same server resources are also at increased risk.
• joomla / server:
grep -r 'review_id=[^&]*' /var/log/apache2/access.log | grep -i 'javascript:'• generic web:
curl -I 'https://example.com/?review_id=<script>alert(1)</script>' | grep 'Content-Type:'disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-54360 is to upgrade Joomla JLex Review to a patched version. Unfortunately, the specific fixed version is not provided in the input. Until a patch is available, consider implementing input validation and sanitization on the reviewid parameter to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attempts can also provide a layer of protection. Carefully review and sanitize any user-supplied data before rendering it in HTML. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into the reviewid parameter and verifying that it is not executed.
Aktualisieren Sie das JLex Review-Komponente auf die neueste verfügbare Version, um die XSS-Schwachstelle zu beheben. Überprüfen Sie die Versionshinweise auf spezifische Aktualisierungsanweisungen. Validieren und escapen Sie außerdem alle Benutzereingaben ordnungsgemäß, um zukünftige XSS-Schwachstellen zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-54360 is a reflected XSS vulnerability in Joomla JLex Review 6.0.1, allowing attackers to inject malicious scripts via the review_id URL parameter.
You are affected if you are using Joomla JLex Review version 6.0.1 and have not upgraded to a patched version.
Upgrade Joomla JLex Review to a patched version. Implement input validation and output encoding as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is easily exploitable and could be targeted in the future.
Refer to the official Joomla security advisories for updates and further details regarding CVE-2023-54360.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.