Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
44 lines (31 sloc) 2.78 KB


Affected software

JE Messenger 1.2.2 Joomla Module by Harmis Technology.

What: Stored XSS

Arbitrary javascript code can be injected into messages and will be executed by the viewer.


During the preparation of one of our incident response exercises, one of our CERT Members (Tobias Roggenhofer) detected an unexpected behavior of the Joomla Module JE Messenger of Harmis Technology in its current version (1.2.2). Due to this behavior, we started analyzing this module and detected several vulnerabilities.

We informed the software-vendor that we have detected vulnerabilities in their module. Sadly a secure communication to share the details could not be established.

Since we still want to disclose our findings in a responsible way, we only announced the type of vulnerability and the associated risk in the first step on the 2019-03-29. This gives the software vendor time to patch the plugin or user the time to move to another plugin or temporarily disable it. Since 2019-05-01 we've published more details including some payloads.


CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N : 5.4 (Medium)

Detailed description

It is possible to send messages with javascript code in it to other users. The Javascript code will be executed as soon as the message will be opened by the recipient. This is possible, because the userinput of the "Maintext" inputbox will be escaped only on client side.

In the following example we are logged in as user1 and send a crafted message to user3. At first we are writing an innocent looking message in the compose view. Creation of an normal message

Now we start an interception-proxy and send the Message. We can now add arbitrary javascript code inside the the value of the parameter "mail_from" and forward it to the application. We only use a simple <script>alert("XSS");</script> in this example. Crafting a message with javascript code in it

If the recipient now opens the message, the inserted javascript code will be executed in his browser. The crafted message in the inbox of user3 XSS alertbox by opening the message


  • 2019-03-05: Contacted vendor, request for encrypted communication
  • 2019-03-06: Request from vendor to tell affected product (no encryption)
  • 2019-03-06: Provided Module-Name (no encryption)
  • 2019-03-06: Further contact with vendor, sadly still no encryption
  • 2019-03-13: Reminder, deadline set for 18th of March for a response (no encryption)
  • 2019-03-19: No response, reserving CVEs, planned release on 2019-04-01
  • 2019-03-22: MITRE informs us that 5 CVEs are reserved
  • 2019-03-29: Publishing basic information, informing MITRE and vendor
  • 2019-05-01: Publishing full vulnerability details
You can’t perform that action at this time.