CVE-2024-40748

High

Published: 07 January 2025

Published

07 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 2.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Lack of output escaping in the id attribute of menu lists.

Security Summary

CVE-2024-40748 is a cross-site scripting (XSS) vulnerability stemming from a lack of output escaping in the id attribute of menu lists within the Joomla core. Classified under CWE-79, it was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact.

The vulnerability can be exploited over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation enables attackers to inject malicious scripts via the unescaped id attribute, potentially leading to the theft of sensitive user data or session information through reflected or stored XSS attacks.

Mitigation details are outlined in the Joomla Security Centre advisory available at https://developer.joomla.org/security-centre/955-20250102-core-xss-vector-in-the-id-attribute-of-menu-lists.html.

Details

CWE(s): CWE-79

Affected Products

joomla

joomla\!

3.9.0 — 3.10.20 · 4.0.0 — 4.4.10 · 5.0.0 — 5.2.3

References

https://developer.joomla.org/security-centre/955-20250102-core-xss-vector-in-the-id-attribute-of-menu-lists.html
Vendor Advisory · security@joomla.org