Attacker Value

High

(1 user assessed)

Exploitability

Moderate

(1 user assessed)

User Interaction

CVE-2023-23752

Disclosure Date: February 16, 2023 •

CVE-2023-23752 CVSS v3 Base Score: 5.3

Exploited in the Wild

Reported by noraj and 2 more...
View Source Details

Description

An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

Add Assessment

noraj (102)

March 24, 2023 9:21am UTC (1 year ago)

Ratings

Attacker Value

High

Exploitability

Medium

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration No useful access

Technical Analysis

There are at least two ways to achieve RCE.

Vector n°1

It leaks the MySQL credentials, in default and most common configurations MySQL will be exposed only on 127.0.0.1 which make the attack ineffective. But if the database is exposed publicly, the attacker can change the Joomla! Super User’s password. The attacker logs in administrative web interface and modify a template to include a webshell or install a malicious plugin.

Vector n°2

It leaks the Joomla user database (usernames, emails, assigned group). The attacker can target a Super user and try bruteforce or credentials stuffing, then follows previously showcased paths to code execution.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.3 Medium

Impact Score:

1.4

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

Low

Integrity (I):

None

Availability (A):

None

Vendors

joomla

Products

joomla!

Metasploit Modules

auxiliary/scanner/http/joomla_api_improper_access_checks (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/joomla_api_improper_access_checks.rb)

Exploited in the Wild

Reported by:

noraj indicated source as Threat Feed (https://viz.greynoise.io/tag/joomla-credential-disclosure-cve-2023-23752-attempt?days=30)

Reported: March 24, 2023 9:21am UTC (1 year ago)

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-exploited-vulnerabilities-catalog)

Reported: January 17, 2024 5:46am UTC (10 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:20am UTC (2 weeks ago)

References

Canonical

CVE-2023-23752 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23752)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2023-23752 exploit (https://github.com/z3n70/CVE-2023-23752)

Joomla! information disclosure - CVE-2023-23752 exploit (https://github.com/Acceis/exploit-CVE-2023-23752)

CVE-2023-23752 (https://github.com/gibran-abdillah/CVE-2023-23752) (Added by AKB Worker)

CVE-2023-23752 (https://github.com/GhostToKnow/CVE-2023-23752) (Added by AKB Worker)

Miscellaneous

https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html

Joomla! CVE-2023-23752 to Code Execution (https://vulncheck.com/blog/joomla-for-rce)

Joomla Unauthorized Access Vulnerability (CVE-2023-23752) Notice (https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/)

Rapid7

High

CVE-2023-23752

High

Moderate

None

None

Network

CVE-2023-23752

Description

Add Assessment

Ratings

Technical Analysis

Vector n°1