Joomla Kubik-Rubik SIGE 3.2.3 Cross Site Scripting

Joomla Kubik-Rubik Simple Image Gallery Extended (SIGE) component version 3.2.3 suffers from a cross site scripting vulnerability.

MD5 | c550928ba8ea836cad34edbe240f135d

# Exploit Title: Joomla! Component SIGE version <= 3.2.3 Cross-site Scripting
# Date: 15-02-2018
# Software Link:
# Exploit Author: Alwin Peppels
# Website:
# CVE: CVE-2017-16356
# Category: webapps

1. Description
Kubik-Rubik Simple Image Gallery Extended (SIGE) contains an XSS in the
'print.php' file.
Insufficient sanitization of the 'caption' URL parameter allows injection
of Javascript into the page.
In versions <= 3.2.0 the 'name' and 'img' parameters are vulnerable as well.
Google dork: inurl:plugin_sige/print.php

The version of the SIGE plugin can be determined with this file:

2. Proof of Concept


3. Solution:

Update to version 3.3.0

Related Posts