Joomla! vulnerability is being actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability for the Joomla! Content Management System (CMS) to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by January 29, 2024 in order to protect their devices against active threats.

Joomla! is an open-source CMS that's been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you need to keep an eye out for updates.

Take for example the vulnerability that has been added to the CISA catalog: CVE-2023-23752 was reported, and a fix was created in February 2023. But here we are, active exploitation is upon us.

The vulnerability allows a successful attacker to access an application programming interface (API) through which they can obtain Joomla-related configuration information. The attacker has to construct specially crafted requests, which can eventually lead to the disclosure of sensitive information.

The vulnerability is the result of an improper access check that allows unauthorized access to webservice endpoints that exist in Joomla! versions 4.0.0-4.2.7.

If the database is exposed publicly, the attacker can change the Joomla! Super User’s password. After which the attacker can log in to the administrative web interface and modify a Joomla! template to include a web shell, or install a malicious plugin, giving themselves the ability execute code remotely.

But even if the database is not exposed publicly, exploitation can be used to get the Joomla! user database (usernames, emails, assigned group). This could open up options for credential stuffing. Credential stuffing is a special type of password attack that exploits password reuse by using username and password combinations found on one service to log in to other, unrelated services.

Users are advised to upgrade their CMS to version 4.2.8 or later. The latest version (5.0.1 at the moment of writing) and upgrade packages can be downloaded here.

Secure your CMS

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

• Choose a CMS that actively looks for and fixes security vulnerabilities.
• If it has a mailing list for informing users about patches, join it.
• Enable automatic updates if the CMS supports them.
• Use the fewest number of plugins you can, and do your due diligence on the ones you use.
• Keep track of the changes made to your site and its source code.
• Secure accounts with two-factor authentication (2FA).
• Give users the minimum access rights they need to do their job.
• Limit file uploads to exclude code and executable files, and monitor them closely.
• Use a Web Application Firewall (WAF).

If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.