cbcvebase.
CVE-2019-12765
published 2019-06-11

CVE-2019-12765: An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.49%
95.2th percentile
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!3.9.0 – 3.9.6

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1/joomla/index.php/component/users/?view=registration&Itemid=101
url/joomla/index.php?option=com_users
command=cmd|'/c calc.exe'!A1
  • Monitor Joomla user registration form submissions where the 'jform[name]' field contains CSV injection characters (e.g., leading '=', '+', '-', '@') followed by pipe-delimited command strings such as '=cmd|'.
  • Alert on POST requests to the Joomla registration endpoint (/index.php/component/users/?view=registration) containing formula-injection patterns in name fields, indicative of CSV injection staging via com_actionslogs.
  • The CSV export of com_actionslogs is the delivery vector; inspect exported CSV files or HTTP responses from com_actionslogs for cells beginning with '=', '+', '-', or '@' followed by command syntax.
  • ·The exploit payload uses 'calc.exe' as a proof-of-concept; real-world attackers would substitute arbitrary OS commands. Detection rules should match the formula-injection prefix pattern generically (e.g., '=cmd|') rather than only the PoC payload.
  • ·Vulnerability affects Joomla! versions before 3.9.7; instances running 3.9.7 or later with the patch applied are not susceptible via this vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.