CVE-2015-4074
published 2017-09-20CVE-2015-4074: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the…
PriorityP180high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.51%
98.9th percentile
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| helpdesk_pro_project | helpdesk_pro | <= 1.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe↗
- →Look for GET requests to the Joomla Helpdesk Pro component containing 'task=ticket.download_attachment' with a 'filename' parameter containing directory traversal sequences (../) targeting sensitive files such as /etc/passwd. ↗
- →The exploit is unauthenticated — no session or authentication token is required to trigger the path traversal via the filename parameter in ticket.download_attachment. ↗
- →A successful exploitation response will contain the content of /etc/passwd; match HTTP 200 responses with the pattern 'root:[x*]:0:0' to confirm file disclosure. ↗
- ·All versions of Helpdesk Pro prior to 1.4.0 are suspected vulnerable; the PoC was specifically tested and verified against version 1.3.0. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2m49-58pm-gx29: Directory traversal vulnerability in the Helpdesk Pro plugin before 1
ghsa_unreviewed·2022-05-17
CVE-2015-4074 [HIGH] CWE-22 GHSA-2m49-58pm-gx29: Directory traversal vulnerability in the Helpdesk Pro plugin before 1
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
VulnCheck
helpdesk_pro_project helpdesk_pro Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 7.5
CVE-2015-4074 [HIGH] helpdesk_pro_project helpdesk_pro Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
helpdesk_pro_project helpdesk_pro Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
Affected: helpdesk_pro_project helpdesk_pro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-s
No detection rules found.
Exploit-DB
Joomla! Component Helpdesk Pro < 1.4.0 - Multiple Vulnerabilities
exploitdb·2015-07-21·CVSS 5.3
CVE-2015-4075 [MEDIUM] Joomla! Component Helpdesk Pro < 1.4.0 - Multiple Vulnerabilities
Joomla! Component Helpdesk Pro < 1.4.0 - Multiple Vulnerabilities
---
Document Title
Joomla! plugin Helpdesk Pro < 1.4.0
Reported By
Simon Rawet from Outpost24
Kristian Varnai from Outpost24
Gregor Mynarsky from Outpost24
https://www.outpost24.com/
For full details, see;
https://www.outpost24.com/outpost24-has-found-critical-vulnerabilities-in-joomla-helpdesk-pro/
Tested on
All exploits were tested and verified by Outpost24 for HelpDesk Pro version 1.3.0. While no official testing has been done on earlier versions, all versions prior to 1.4.0, where the issues were finally patched, are suspected of being vulnerable.
Release Date
2015-07-16
CVE
===
CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-407
Nuclei
Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2015-4074 [HIGH] Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
Template:
id: CVE-2015-4074
info:
name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server.
remediation: |
Upgrade to Joomla! Helpdesk Pro plugin version 1.4.0 o
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132766/Joomla-Helpdesk-Pro-XSS-File-Disclosure-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/102http://www.securityfocus.com/bid/75971https://www.exploit-db.com/exploits/37666/http://packetstormsecurity.com/files/132766/Joomla-Helpdesk-Pro-XSS-File-Disclosure-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/102http://www.securityfocus.com/bid/75971https://www.exploit-db.com/exploits/37666/
2017-09-20
Published
Exploited in the wild