Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-9922: CVE/CVE-2019-9922.md at master · azd-cert/CVE

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. Directory Traversal allows read access to arbitrary files.

CVE
Open in Source
#vulnerability#php

CVE-2019-9922****Affected software

JE Messenger 1.2.2 Joomla Module by Harmis Technology.

What: Directory Traversal

Due to insufficient protection mechanisms, it is possible to access arbitrary files from the server.

Meta

During the preparation of one of our incident response exercises, one of our CERT Members (Tobias Roggenhofer) detected an unexpected behavior of the Joomla Module JE Messenger of Harmis Technology in its current version (1.2.2). Due to this behavior, we started analyzing this module and detected several vulnerabilities.

We informed the software-vendor that we have detected vulnerabilities in their module. Sadly a secure communication to share the details could not be established.

Since we still want to disclose our findings in a responsible way, we only announced the type of vulnerability and the associated risk in the first step on the 2019-03-29. This gives the software vendor time to patch the plugin or user the time to move to another plugin or temporarily disable it. Since 2019-05-01 we’ve published more details including some payloads.

CVSS

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N : 5.8 (Medium)

Detailed description

The vulnerability is located in the attachment download of the component. To exploit it you can ether sends yourself a message with an attachment, open it up and copy the download link of the attachment or simply use the following link: <www.example.vuln>/index.php/component/jemessenger/box_details?task=download&dw_file=

The following Example-url shows how to use this vulnerability to download the passwd file from the server: <www.example.vuln>/index.php/component/jemessenger/box_details?task=download&dw_file=…/…/…/./…/…/…/etc/passwd

Timeline

  • 2019-03-05: Contacted vendor, request for encrypted communication
  • 2019-03-06: Request from vendor to tell affected product (no encryption)
  • 2019-03-06: Provided Module-Name (no encryption)
  • 2019-03-06: Further contact with vendor, sadly still no encryption
  • 2019-03-13: Reminder, deadline set for 18th of March for a response (no encryption)
  • 2019-03-19: No response, reserving CVEs, planned release on 2019-04-01
  • 2019-03-22: MITRE informs us that 5 CVEs are reserved
  • 2019-03-29: Publishing basic information, informing MITRE and vendor
  • 2019-05-01: Publishing full vulnerability details

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE