Hi again. I confirm these issues. I'm working all day on this, and I have now fixed them all, so I just released a security update.
I have fixed these issues right in the heart of MyShortlist, so that these vulnerabilities are completely sealed for all users, regardless of their template overrides, as long as they immediately update to the latest version: 1.10.1434.
Let me explain what these issues are.
1. The first issue is related to adding items to the list.
Manually adding Javascript code (which is run by the browser in the client side) into the insertion form variables, results in this code being executed when the item is shown within the list.
For this issue to pose a true security risk, an attacker would have to already be logged-in as someone else. Otherwise, this code will only be executed in the attacker's computer or the attacker's user account.
It cannot affect any other users.
2. The second issue is related to creating new lists.
Again, an attacker can inject some Javascript code, that will be executed when a user adds or removes items from this list, using the Youtube-like dropdown button.
This issue also only affects the attacker's computer or attacker's user account, so they would require access to someone else's account, for this issue to pose a true risk.
HOWEVER.
I have found a third issue, based and related to the first issue, that poses a large vulnerability and CAN potentially execute Javascript code in the Joomla administrator.
As such, I urge all MyShortlist users to immediately update to version 1.10.1434 (or newer).
Thank you for your assistance in this.
Let me know if there's anything else I can do to help.
Christopher Mavros
me@mavxr.com
If you like our extensions, please rate us on the JED!
