SB2019041026 - Multiple vulnerabilities in Joomla!
Published: April 10, 2019 Updated: March 6, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2019-11358)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
2) Improper Authentication (CVE-ID: CVE-2019-10946)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing authentication checks for the "refresh list of helpsites" endpoint of com_users core component. A remote non-authenticated attacker can request the endpoint and gain access to sensitive information.
3) Path traversal (CVE-ID: CVE-2019-10945)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the com_media core component when processing folder parameter. A remote privileged attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Remediation
Install update from vendor's website.
References
- https://developer.joomla.org/security-centre.html
- https://developer.joomla.org/security-centre/778-20190402-core-helpsites-refresh-endpoint-callable-for-unauthenticated-users
- http://packetstormsecurity.com/files/152515/Joomla-3.9.4-Arbitrary-File-Deletion-Directory-Traversal.html
- https://developer.joomla.org/security-centre/777-20190401-core-directory-traversal-in-com-media
- https://www.exploit-db.com/exploits/46710/