CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Joomla! Could Allow for Information Disclosure

MS-ISAC ADVISORY NUMBER:

2017-090

DATE(S) ISSUED:

09/26/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in Joomla!, which could allow for information disclosure. Joomla! is an open source content management system for websites. Successful exploitation of these vulnerabilities could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

THREAT INTELLIGENCE:

Proof of Concept code is available that reproduces one of these vulnerabilities. (CVE-2017-14596)

SYSTEMS AFFECTED:

  • Joomla! versions prior to 3.8

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
N/A

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Joomla!, which could allow for information disclosure. Details of these vulnerabilities are as follows:

  • A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. (CVE-2017-14595)
  • Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password. (CVE-2017-14596)

Successful exploitation of these vulnerabilities could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Joomla! to vulnerable systems immediately after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying the patch.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security