Platform
joomla
Component
joomla
Fixed in
4.0.13
CVE-2023-54362 describes a reflected cross-site scripting (XSS) vulnerability affecting Joomla VirtueMart Shopping-Cart versions up to 4.0.12. This flaw allows attackers to inject malicious scripts into a victim's browser by manipulating the 'keyword' parameter within the product-variants endpoint. Successful exploitation could lead to session token theft or credential compromise, impacting user accounts and potentially the entire Joomla instance.
The primary impact of CVE-2023-54362 is the potential for cross-site scripting attacks. An attacker can craft a malicious URL containing a JavaScript payload within the 'keyword' parameter. When a user clicks this link, the injected script executes within their browser context. This allows the attacker to steal session cookies, redirect the user to a phishing site, or deface the website. The severity is amplified if the affected VirtueMart instance handles sensitive data or is integrated with other critical systems, as the attacker could potentially gain access to a wider range of resources. This vulnerability is similar to other reflected XSS flaws where user input is not properly sanitized before being rendered in the browser.
CVE-2023-54362 was publicly disclosed on 2026-04-09. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of this writing. Public proof-of-concept (PoC) code is likely to emerge given the nature of reflected XSS vulnerabilities, increasing the risk of exploitation. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2023-54362 is to upgrade Joomla VirtueMart Shopping-Cart to a patched version. Unfortunately, the specific fixed version is not provided in the input. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and output encoding on the product-variants endpoint are crucial. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the 'keyword' parameter can provide an additional layer of defense. Regularly scan your Joomla installation for vulnerabilities using security scanners.
Update VirtueMart to a patched version. Refer to the VirtueMart website for more information on available updates and installation instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-54362 is a reflected XSS vulnerability in Joomla VirtueMart Shopping-Cart versions up to 4.0.12, allowing attackers to inject malicious scripts via the 'keyword' parameter.
If you are using Joomla VirtueMart Shopping-Cart version 4.0.12 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Joomla VirtueMart Shopping-Cart to a patched version. Check the official Joomla or VirtueMart websites for the latest updates.
There is currently no confirmed evidence of active exploitation, but the vulnerability is publicly known and PoCs are likely to emerge, increasing the risk.
Refer to the official Joomla security advisories and the VirtueMart website for updates and information regarding CVE-2023-54362.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.