Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2017-9933 CVE-2017-9934 |
CWE-ID | CWE-200 CWE-352 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #2 is available. |
Vulnerable software Subscribe |
Joomla! Web applications / CMS |
Vendor | Joomla! |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU7315
Risk: Medium
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9933
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper cache invalidation mechanism. A remote attacker can view cache files and obtain potentially sensitive information, related to forms.
Update to version 3.7.3.
Vulnerable software versionsJoomla!: 1.7.3 - 3.7.2
External linkshttp://developer.joomla.org/security-centre.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU7317
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-9934
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform CSRF attack.
The vulnerability exists due to missing CSRF token. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary HTML and JavaScript code in victim's browser in context of vulnerable website.
Update to version 3.7.3.
Vulnerable software versionsJoomla!: 1.7.3 - 3.7.2
External linkshttp://developer.joomla.org/security-centre.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.