CVE-2023-28732: CVE-2023-28732 - Bug Bounty Switzerland

Advisory CVE-2023-28732, Missing access control affecting the AcyMailing plugin for Joomla

CVE ID: CVE-2023-28732

Vendor: AcyMailing

Product: Newsletter Plugin for Joomla

Title: Missing access control affecting the AcyMailing plugin for Joomla

Vulnerable Versions: < 8.3.0

Problem Type (CWE):

• CWE-20 Improper Input Validation
• CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Impacts (CAPEC):

• CAPEC-115 Authentication Bypass
• CAPEC-126 Path Traversal

CVSS 3.1:

• 6.5 Medium
• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Source Repository (OSS): https://github.com/acyba/acymailing/

References:

• https://www.acymailing.com/change-log/
• https://github.com/acyba/acymailing/releases/tag/v8.3.0
• https://www.bugbounty.ch/advisories/CVE-2023-28732

CVE Description:

Introduction:

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress.

The vulnerability:

Missing access control allows to list and access files containing sensitive information from the plugin itself and access to system files due to path traversal, when being granted access to the campaign’s creation on front-office.

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

The steps to exploit the vulnerability:

• Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated
• Manipulate the URL to list and get access to the logs of the plugin itself, leaking PII of users
• Manipulate the URL to list and get access to system files (e.g. in the root directory of Joomla). Only allowed file-types can be listed and accessed
• Upload arbitrary files. Only allowed file-types can be uploaded

How to check for exploitation:

• Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com_acym/upload/logs” or suspicious access to files in “/media/com_acym/upload/logs/”
• Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com_acym/upload/logs/…/…/…/…” or suspicious access to allowed file-types on the entire system accessible by the user of the webserver
• Check for suspicious files uploaded in /media/com_acym/upload/
• Default allowed file-types are: zip, doc, docx, pdf, xls, txt, gzip, rar, jpg, jpeg, gif, xlsx, pps, csv, bmp, ico, odg, odp, ods, odt, png, ppt, swf, xcf, mp3, wma

Solution:

• update to a fixed version (>= 8.3.0)

Timeline:

• 2023-02-01: reported
• 2023-03-09: initial vendor notification
• 2023-03-10: initial vendor response
• 2023-03-20: release of fixed version
• 2023-03-30: coordinated public disclosure

Credits:

• Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland
• Coordinator: Bug Bounty Switzerland

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.

Akzeptieren