CVE-2024-40748
Published: 07 January 2025
Summary
CVE-2024-40748 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Joomla Joomla\!. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of output escaping in the menu list id attribute by requiring filtering of information prior to output to web pages to prevent XSS attacks.
Mitigates the specific Joomla core XSS flaw by identifying, reporting, and applying timely patches as outlined in the Joomla Security Centre advisory.
Provides defense-in-depth by validating inputs to block malicious script injection that could exploit the unescaped id attribute in reflected or stored XSS scenarios.
NVD Description
Lack of output escaping in the id attribute of menu lists.
Deeper analysisAI
CVE-2024-40748 is a cross-site scripting (XSS) vulnerability stemming from a lack of output escaping in the id attribute of menu lists within the Joomla core. Classified under CWE-79, it was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact.
The vulnerability can be exploited over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation enables attackers to inject malicious scripts via the unescaped id attribute, potentially leading to the theft of sensitive user data or session information through reflected or stored XSS attacks.
Mitigation details are outlined in the Joomla Security Centre advisory available at https://developer.joomla.org/security-centre/955-20250102-core-xss-vector-in-the-id-attribute-of-menu-lists.html.
Details
- CWE(s)