In Joomla! 3.x prior to 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
joomla joomla\\!