Plattform
joomla
Komponente
joomla
Behoben in
4.0.13
CVE-2023-54362 describes a reflected cross-site scripting (XSS) vulnerability affecting Joomla VirtueMart Shopping-Cart versions up to 4.0.12. This flaw allows attackers to inject malicious scripts into a victim's browser by manipulating the 'keyword' parameter within the product-variants endpoint. Successful exploitation could lead to session token theft or credential compromise, impacting user accounts and potentially the entire Joomla instance.
Successful exploitation of CVE-2023-54362 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can lead to a variety of malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could craft a malicious URL containing a script payload in the 'keyword' parameter. When a user clicks on this link, the script will execute, potentially granting the attacker access to the user's account and sensitive information. The blast radius is limited to users who interact with the malicious URL, but the impact on individual users can be severe.
CVE-2023-54362 was published on 2026-04-09. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the ease of exploitation of reflected XSS vulnerabilities.
Websites running Joomla with the VirtueMart Shopping-Cart plugin, particularly those using versions 4.0.12 or earlier, are at risk. Shared hosting environments where multiple websites share the same server resources are also vulnerable, as a successful attack on one site could potentially impact others. Sites with custom integrations or extensions built on top of VirtueMart are also at increased risk.
• joomla / wordpress: Examine access logs for requests to product-variants with unusual or suspicious values in the keyword parameter. Look for patterns indicative of XSS payloads (e.g., <script>, javascript:, onerror=).
grep 'keyword=[^a-zA-Z0-9 ]+' /var/log/apache2/access.log• generic web: Use curl to test the product-variants endpoint with a simple XSS payload in the keyword parameter and observe the response for script execution.
curl 'https://example.com/product-variants?keyword=<script>alert(1)</script>'• generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS attacks even if the vulnerability exists.
curl -I https://example.com/product-variantsdisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2023-54362 is to upgrade Joomla VirtueMart Shopping-Cart to a patched version. If immediate patching is not feasible, consider implementing input validation and sanitization on the 'keyword' parameter to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious script payloads in the 'keyword' parameter. Carefully review and update any existing security policies to address reflected XSS vulnerabilities.
Aktualisieren Sie VirtueMart auf eine korrigierte Version. Besuchen Sie die VirtueMart-Website für weitere Informationen zu verfügbaren Updates und Installationsanweisungen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-54362 is a reflected XSS vulnerability in Joomla VirtueMart Shopping-Cart versions up to 4.0.12, allowing attackers to inject malicious scripts via the 'keyword' parameter.
If you are using Joomla VirtueMart Shopping-Cart version 4.0.12 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Joomla VirtueMart Shopping-Cart to a patched version. Check the official Joomla or VirtueMart websites for the latest updates.
There is currently no confirmed evidence of active exploitation, but the vulnerability is publicly known and PoCs are likely to emerge, increasing the risk.
Refer to the official Joomla security advisories and the VirtueMart website for updates and information regarding CVE-2023-54362.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.