CVE-2025-49486 HIGH

CVE-2025-49486: Extension - balbooa.com - Stored XSS in Balbooa Gallery component version 1.0.0 - 2.4.0 for Joomla

Vendor Balbooa.com
Product Balbooa Gallery component for Joomla
Weakness CWE-79 · XSS
Published July 18, 2025
Last update July 20, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items.

Explanation of Vulnerability in Simple Terms

02Summary

The Balbooa Gallery component for Joomla contains a cross-site scripting (XSS) vulnerability that allows high-privilege users to inject malicious scripts. An attacker with administrative or elevated permissions can craft input that executes JavaScript in other users' browsers, potentially compromising site security or stealing session data. This vulnerability requires authenticated access with high privileges to exploit.

What an attacker can do

03Attacker Capabilities

Inject JavaScript code that runs in other users' browsers when they view affected pages.

Potential impact on your site

04Site Impact

A compromised admin account could inject malicious scripts affecting all site visitors and potentially stealing credentials or session tokens.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative or privileged account access to the Joomla site.

Key dates

06Disclosure timeline

July 18, 2025 CVE published
July 20, 2025 Record updated

Related vulnerabilities

08Related CVE