[SOLVED] Possible XSS issue

Hi, we received this information about an XSS vulnerability on our page: openbugbounty > reports > 4143654
We think we traced it back to the JEM event search. We also received further details in an email we don't want to post publicly. It contains an example URL that injects code which is indeed executed in the browser. We will happily forward the email to you if you give us an address that verifiably belongs to the JEM team.

Joomla version: 5.3.2
JEM version: 4.3.3

Are you aware of this? Is this an issue?

Thanks for your great work,
Falk for Jungenarbeit

Hello there,

We did recieve your email yesterday with the relevant example URL. It's shared between the team on a non-public part of this forum.

Thanks for reporting this!

Nice, thanks.

Just a quick note:
We responded yesterday via email.

Thanks for getting back via email! The info is sent to the developers just now.

Sanitize user input to prevent reflected XSS in the search field
Proper escaping has been added to the filter_search input using htmlspecialchars() to prevent XSS via injected attributes.
User input is now safely rendered inside the value attribute.

See the commit: github.com/jemproject/JEM-Project/commit/9a618582db35f6a46c2c8b17d223f5b043125061

This fix will be included in the upcoming JEM 4.3.4 release.