Home page logo

bugtraq logo Bugtraq mailing list archives

Joomseller "Events Booking Pro" and "JSE Event" reflected XSS
From: samelat <samelat () gmail com>
Date: Mon, 5 Aug 2013 11:19:06 -0300

 Joomseller "Events Booking Pro" and "JSE Event" reflected XSS

[+] Software Link:


[+] Affected Versions:

Component com_events_booking_v5
Component com_jse_event < 1.0.1

[+] Vulnerability Description:

The vulnerable files are the following:

.- For JSE Event:

.-For Events Booking pro:

The "info" parameter is not correctly sanitized before being used,
allowing an attacker to perform XSS attacks.

As a proof of concept, an attacker could perform the following request:


where the contents of the info parameter is the following payload
encoded using base64 encoding

{"events":"(15:00:00) <script>alert(1);</script>", "event_id":"64",
"itemid":"1", "evr_id":"1191"}

[+] Solution:

Upgrade to JSE Event version 1.0.1.

[+] Report Timeline:

[30/07/2013] - Vulnerability reported to the vendor
[30/07/2013] - Developer confirm vulnerability and update released
[05/08/2013] - Public disclosure

[+] Credits:

Vulnerability discovered by Gaston Traberg.

  By Date           By Thread  

Current thread:
  • Joomseller "Events Booking Pro" and "JSE Event" reflected XSS samelat (Aug 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]