Main Vulnerability Database Vulnerabilities #VU13475

#VU13475 PHP file inclusion in Joomla! - CVE-2018-12712

Published: June 26, 2018

Vulnerability identifier: #VU13475

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-12712

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Joomla!

Software vendor:
Joomla!

Description

The vulnerability allows a remote attacker to include and execute arbitrary files on the local system.

The vulnerability exists due to autoload code checks classnames to be valid, using the "class_exists" function in PHP. This function however does not properly validate names in PHP 5.3, which can lead to local file inclusion vulnerability.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files and under certain circumstances even compromise vulnerable system but requires that Joomla! is using an old version of PHP 5.3.

Remediation

Update to version 3.8.9.

External links

https://developer.joomla.org/security-centre.html

#VU13475 PHP file inclusion in Joomla! - CVE-2018-12712

Description

Remediation

External links

Please verify you're human