Reverse Tabnabbing in J-Business Directory

#VU24944 Reverse Tabnabbing in J-Business Directory

Published: 2020-02-05

Vulnerability identifier: #VU24944

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5182

CWE-ID: CWE-1022

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
J-Business Directory
Web applications / Modules and components for CMS

Vendor: CMS Junkie

Description

The vulnerability allows a remote attacker to modify certain properties on the affected system.

The vulnerability exist due to Reverse Tabnabbing on the listing website links that are open in a new tab. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener" (or similar attributes such as noreferrer). A remote attacker can modify the location property to automatically redirect the user to a malicious site.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

J-Business Directory: All versions

External links
http://www.cmsjunkie.com/blog/joomla_business_directory_5-2-9_release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Reverse Tabnabbing in J-Business Directory component for Jomla!