The CISA has added a vulnerability for the Joomla CMS to its KEV Catalog, based on evidence of active exploitation.
Joomla! is an open-source CMS that’s been around since 2005 and has been one of the most popular CMS platforms by market share for much of that time.
The vulnerability tracked as CVE-2023-23752 was reported, and a fix was created in February 2023. It allows a successful attacker to access an API through which they can obtain Joomla-related configuration information. The attacker has to construct specially crafted requests, which can eventually lead to the disclosure of sensitive information.
The vulnerability is the result of an improper access check that allows unauthorized access to webservice endpoints that exist in Joomla! versions 4.0.0-4.2.7.
The attacker can change the Joomla! Super User’s password, of the internet accessible database. After which the attacker can log in to the administrative web interface and modify a Joomla! template to include a web shell, or install a malicious plugin, giving themselves the ability execute code remotely.
But even if the database is not exposed publicly, exploitation can be used to get the Joomla! user databaase. This could open up options for credential stuffing. Credential stuffing is a special type of password attack that exploits password reuse by using username and password combinations found on one service to log in to other, unrelated services.
Users are advised to upgrade their CMS to version 4.2.8 or later. The latest version (5.0.1 at the moment of writing) and upgrade packages can be downloaded her
FCEB agencies need to remediate this vulnerability by January 29, 2024, in order to protect their devices against active threats.
