cbcvebase.
CVE-2013-5576
published 2013-10-09

CVE-2013-5576: administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users…

PriorityP277medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.19%
98.7th percentile
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.

Affected

24 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

pathadministrator/components/com_media/helpers/media.php
url/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=com_content&author=
path/images/<uploaded_filename>.php
  • Detect file upload requests to the Joomla Media Manager endpoint (com_media) where the uploaded filename contains a trailing dot (e.g., 'shell.php.') to bypass extension filtering.
  • Alert on HTTP GET requests to /images/<filename>.php shortly after a POST to the com_media upload endpoint, indicating successful webshell upload and execution attempt.
  • Check web server logs for the presence of PHP files created under the Joomla /images/ directory, which is not a normal location for PHP scripts.
  • Detect the Joomla Media Manager access check bypass: look for HTTP 200 responses to com_media requests that do NOT contain 'You are not authorised to view this resource', indicating unauthenticated or unauthorized access succeeded.
  • ·The vulnerability was exploited in the wild as early as August 2013; affected versions are Joomla 2.5.x up to 2.5.13 and 3.x up to 3.1.4. Patched versions are 2.5.14 and 3.1.5.
  • ·The Media Manager component is installed by default in Joomla; if public access is not restricted, exploitation requires no authentication. With access controls in place, an Editor role or higher is sufficient for exploitation.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.