cbcvebase.
CVE-2014-1214
published 2019-11-13

CVE-2014-1214: views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component 3.0.2 and earlier for Joomla! allows remote attackers to upload and execute arbitrary…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.32%
90.0th percentile
views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component 3.0.2 and earlier for Joomla! allows remote attackers to upload and execute arbitrary files via a crafted (1) dest parameter and (2) arbitrary extension in the Filename parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
projoomsmart_flash_header<= 3.0.2

Detection & IOCsextracted from sources · hover to see the quote

path/administrator/components/com_novasfh/views/upload.php
url/administrator/components/com_novasfh/views/upload.php?action=upload&dest=L3Zhci93d3cvaHRtbA==
  • Detect POST requests to the vulnerable upload endpoint with the 'action=upload' parameter and a base64-encoded 'dest' parameter, indicating an attempt to specify an arbitrary upload destination directory.
  • Alert on multipart/form-data POST requests to upload.php where the 'Filename' field contains a .php extension, indicating attempted webshell/backdoor upload.
  • Monitor for file creation of .php files within web-accessible directories originating from the com_novasfh component upload handler, as the dest parameter can be base64-decoded to an arbitrary server path (e.g. L3Zhci93d3cvaHRtbA== decodes to /var/www/html).
  • Flag access to the Joomla administrator uploader interface via the referer path option=com_novasfh&c=uploader, which is the entry point used to stage the exploit.
  • ·The 'dest' parameter is base64-encoded, allowing an attacker to specify any writable server path as the upload destination. Detection rules must account for base64-encoded path traversal values, not just plaintext paths.
  • ·The vulnerability exists in views/upload.php and does not require authentication beyond Joomla administrator access; the exploit targets the /administrator/ path, so detections should cover authenticated admin-side abuse, not just unauthenticated requests.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.