HomeDefault status
unaffected
1.0-2.26
affected
Description
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
1.0-2.26
Credits
Matan Bahar
Niv Kochan
References
www.getk2.org/