Main Vulnerability Database Vulnerabilities #VU13475

PHP file inclusion in Joomla! - CVE-2018-12712

Published: June 26, 2018

Vulnerability identifier: #VU13475

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-12712

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Joomla!

Affected software:
Joomla!

Detailed vulnerability description

The vulnerability allows a remote attacker to include and execute arbitrary files on the local system.

The vulnerability exists due to autoload code checks classnames to be valid, using the "class_exists" function in PHP. This function however does not properly validate names in PHP 5.3, which can lead to local file inclusion vulnerability.

Successful exploitation of the vulnerability may allow an attacker to read arbitrary files and under certain circumstances even compromise vulnerable system but requires that Joomla! is using an old version of PHP 5.3.

How to mitigate CVE-2018-12712

Update to version 3.8.9.

Sources

https://developer.joomla.org/security-centre.html

PHP file inclusion in Joomla! - CVE-2018-12712

Detailed vulnerability description

How to mitigate CVE-2018-12712

Sources

Please verify you're human