Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities

Sonar's Vulnerability Research Team discovered multiple XSS vulnerabilities in the popular Content Management System (CMS) Joomla. The issue, tracked as CVE-2024-21726, affects Joomla’s core filter component and can be exploited by attackers to gain remote code execution by tricking an administrator into clicking on a malicious link. The underlying PHP bug is an inconsistency in how PHP's mbstring functions handle invalid multibyte sequences. This issue was fixed with PHP versions 8.3 and 8.4, but not backported to older PHP versions. Joomla released version 5.0.3/4.4.3, which mitigates the vulnerability.