cbcvebase.
CVE-2023-23752
published 2023-02-16

CVE-2023-23752: An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

PriorityP186medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
99.83%
100.0th percentile
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

Affected

2 ranges
VendorProductVersion rangeFixed in
joomla!_projectjoomla!_cms
joomlajoomla_!>= 4.0.0 < 4.2.84.2.8

Detection & IOCsextracted from sources · hover to see the quote

url/api/index.php/v1/config/application?public=true
url/api/v1/config/application?public=true
url/administrator/manifests/files/joomla.xml
url/language/en-GB/langmetadata.xml
path/api/index.php/v1/config/application
path/api/index.php/v1/users
yara
matchers: type: word, part: body, words: '"links":' AND '"attributes":'; type: word, part: header, words: 'application/json' OR 'application/vnd.api+json'; type: status, status: 200
  • Detect unauthenticated GET requests to the Joomla API endpoint /api/index.php/v1/config/application?public=true or /api/v1/config/application?public=true; a successful exploit returns HTTP 200 with JSON body containing both '"links":' and '"attributes":' and Content-Type header of 'application/json' or 'application/vnd.api+json'.
  • Monitor for unauthenticated access to /administrator/manifests/files/joomla.xml and /language/en-GB/langmetadata.xml, which are used by attackers to fingerprint the Joomla version prior to exploitation.
  • The Metasploit module 'auxiliary/scanner/http/joomla_api_improper_access_checks' exploits both the /users and /config/application API endpoints; monitor for scanner-pattern requests hitting both endpoints in rapid succession from the same source IP.
  • ·The vulnerability only affects Joomla versions 4.0.0 through 4.2.7; Joomla 4.2.8 and later are patched. Joomla 3.x and earlier are not affected.
  • ·Despite the high EPSS score (0.94511 / 99th percentile), real-world exposure was limited: fewer than 500 internet-facing Joomla 4.x installations were found vulnerable at time of analysis.
  • ·The primary risk is credential leakage (MySQL DB credentials in plaintext) rather than direct RCE; however, leaked credentials can be chained for further access including RCE via Joomla template editing.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.