CVE-2023-23752
published 2023-02-16CVE-2023-23752: An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
PriorityP186medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
99.83%
100.0th percentile
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla!_project | joomla!_cms | — | — |
| joomla | joomla_! | >= 4.0.0 < 4.2.8 | 4.2.8 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
matchers: type: word, part: body, words: '"links":' AND '"attributes":'; type: word, part: header, words: 'application/json' OR 'application/vnd.api+json'; type: status, status: 200
- →Detect unauthenticated GET requests to the Joomla API endpoint /api/index.php/v1/config/application?public=true or /api/v1/config/application?public=true; a successful exploit returns HTTP 200 with JSON body containing both '"links":' and '"attributes":' and Content-Type header of 'application/json' or 'application/vnd.api+json'. ↗
- →Monitor for unauthenticated access to /administrator/manifests/files/joomla.xml and /language/en-GB/langmetadata.xml, which are used by attackers to fingerprint the Joomla version prior to exploitation. ↗
- →The Metasploit module 'auxiliary/scanner/http/joomla_api_improper_access_checks' exploits both the /users and /config/application API endpoints; monitor for scanner-pattern requests hitting both endpoints in rapid succession from the same source IP. ↗
- ·The vulnerability only affects Joomla versions 4.0.0 through 4.2.7; Joomla 4.2.8 and later are patched. Joomla 3.x and earlier are not affected. ↗
- ·Despite the high EPSS score (0.94511 / 99th percentile), real-world exposure was limited: fewer than 500 internet-facing Joomla 4.x installations were found vulnerable at time of analysis. ↗
- ·The primary risk is credential leakage (MySQL DB credentials in plaintext) rather than direct RCE; however, leaked credentials can be chained for further access including RCE via Joomla template editing. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jmc9-376w-885v: An issue was discovered in Joomla! 4
ghsa_unreviewed·2023-02-16
CVE-2023-23752 [MEDIUM] CWE-284 GHSA-jmc9-376w-885v: An issue was discovered in Joomla! 4
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
VulnCheck
Joomla! Improper Access Control Vulnerability
vulncheck·2023·CVSS 5.3
CVE-2023-23752 [MEDIUM] CWE-284 Joomla! Improper Access Control Vulnerability
Joomla! Improper Access Control Vulnerability
Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints.
Affected: Joomla! Joomla!
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/rss/29614; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2023-23752; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2023-23752; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2023-23752; https://dashboard.shad
CISA
Joomla! Improper Access Control Vulnerability
cisa·2024-01-08·CVSS 5.3
CVE-2023-23752 [MEDIUM] CWE-284 Joomla! Improper Access Control Vulnerability
Vulnerability: Joomla! Improper Access Control Vulnerability
Affected: Joomla! Joomla!
Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html; https://nvd.nist.gov/vuln/detail/CVE-2023-23752
Remediation Due Date: 2024-01-29
Suricata
ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webservice Endpoints (CVE-2023-23752)
suricata·2024-05-28·CVSS 5.3
CVE-2023-23752 [MEDIUM] ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webservice Endpoints (CVE-2023-23752)
ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webservice Endpoints (CVE-2023-23752)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webservice Endpoints (CVE-2023-23752)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/index.php/v1/config/application?public=true"; fast_pattern; endswith; reference:cve,2023-23752; reference:url,nvd.nist.gov/vuln/detail/CVE-2023-23752; reference:url,developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html; classtype:trojan-activity; sid:2052951; rev:1; metadata:created_at 2024_05_28, cve CVE_2023_23752, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_
Exploit-DB
Joomla! v4.2.8 - Unauthenticated information disclosure
exploitdb·2023-04-08·CVSS 5.3
CVE-2023-23752 [MEDIUM] Joomla! v4.2.8 - Unauthenticated information disclosure
Joomla! v4.2.8 - Unauthenticated information disclosure
---
#!/usr/bin/env ruby
# Exploit
## Title: Joomla! v4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 [options]
#{__FILE__} -h | --help
#{Paint['Parameters:', :red]}
Root URL (base path) including HTTP scheme, port and root folder
#{Paint['Options:', :red]}
--debug Display arguments
--no-color Disable colorized output (NO_COLOR environment variable is res
Metasploit
Joomla API Improper Access Checks
metasploit
Joomla API Improper Access Checks
Joomla API Improper Access Checks
Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability. This vulnerability allows unauthenticated users access to webservice endpoints which contain sensitive information. Specifically for this module we exploit the users and config/application endpoints. This module was tested against Joomla 4.2.7 running on Docker.
Nuclei
Joomla! Webservice - Password Disclosure
nuclei·CVSS 7.5
CVE-2023-23752 [HIGH] Joomla! Webservice - Password Disclosure
Joomla! Webservice - Password Disclosure
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Template:
id: CVE-2023-23752
info:
name: Joomla! Webservice - Password Disclosure
author: badboycxcc,Sascha Brendel
severity: medium
description: |
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
impact: |
The vulnerability can lead to unauthorized access to user passwords, compromising the confidentiality of user accounts.
remediation: Upgrade to Joomla! version 4.2.8 or later.
reference:
- https://unsafe.sh/go-149780.html
- https://twitter.com/gov_hack/status/1626471960141238272/photo/1
- https://developer.joomla.org/security-cen
arXiv
PACEbench: A Framework for Evaluating Practical AI Cyber-Exploitation Capabilities
arxiv_fulltext·2025-10-13
PACEbench: A Framework for Evaluating Practical AI Cyber-Exploitation Capabilities
fancy
## Abstract
The increasing autonomy of Large Language Models (LLMs) necessitates a rigorous evaluation of their potential to aid in cyber offense. Existing benchmarks often lack real-world complexity and are thus unable to accurately assess LLMs' cybersecurity capabilities. To address this gap, we introduce PACEbench, a practical AI cyber-exploitation benchmark built on the principles of realistic vulnerability difficulty, environmental complexity, and cyber defenses. Specifically, PACEbench comprises four scenarios spanning single, blended, chained, and defense vulnerability exploitations. To handle these complex challenges, we propose PACEagent, a novel agent that emulates human penetration testers by supporting multi-phase reconnaissance, analysis, and exploitation.
Extensive ex
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Devvortex / README
ctf_writeups·CVSS 7.7
CVE-2023-23752 [HIGH] Devvortex / README
# Devvortex
> Write-up author: jon-brandy
## Lesson Learned:
- Enumerating subdomain using ffuf.
- Directory listing using dirsearch.
- Exploiting CMS Joomla v4.2 --> CVE-2023-23752.
- Accessing mysql (inline command).
- Cracking password using john.
- Exploiting apport-cli bin for privilege escalation --> CVE-2023-1326.
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sV -sC 10.10.11.242 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 01:23 PST
Nmap scan report for 10.10.11.242
Host is up (0.018s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c18
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Devvortex / README
ctf_writeups·CVSS 7.7
CVE-2023-23752 [HIGH] Devvortex / README
# Devvortex - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Identified vhost `dev.Devvortex.htb`. In the `robots.txt` file, `Joomla` is indicated. Utilizing `CVE-2023-23752`, we extracted credentials from the configuration. With these credentials, we gained access and inserted a reverse shell into the `index.php` file within the `Joomla` templates, Found `logan` hashed password on `Joomla` database.
***Root***: Executed `sudo -l` revealing permission to run `apport-cli` as `root`. Leveraging `CVE-2023-1326`, privilege escalation was achieved.
## Devvortex Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
Bleepingcomputer
CISA warns agencies of fourth flaw used in Triangulation spyware attacks
blogs_bleepingcomputer·2024-01-09·CVSS 5.3
[MEDIUM] CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla.
The Known Exploited Vulnerabilities catalog, or KEV for short, contains security issues that have been actively exploited in the wild. It is a valuable resource for organizations across the globe in the vulnerability management and prioritization process.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." reads CISA's notice .
CISA has given federal agencies until January 29 to patch the six actively
Sentinelone
CVE-2023-23752: Joomla Authentication Bypass Vulnerability
blogs_sentinelone·2023-04-10·CVSS 5.3
CVE-2023-23752 [MEDIUM] CVE-2023-23752: Joomla Authentication Bypass Vulnerability
CVE-2023-23752 is an authentication bypass vulnerability that allows unauthenticated users to access sensitive information about Joomla! Installation. The vulnerability was found by Zewei Zhang from NSFOCUS TIANJI Lab on February 24, 2023, allowing unauthenticated users to access sensitive information about Joomla! Installation, and was assigned CVS 5.3 medium. It affects Joomla versions 4.0.0 to 4.2.7; the patch was released in version 4.2.8.
## CVE-2023-23752 Impact
Affected websites may suffer severe consequences due to this vulnerability. Attackers can exploit it to gain unauthorized access to web service endpoints, which may lead to the leakage of sensitive information such as usernames, passwords, and database names. Furthermore, there is speculation that attackers attempted to use
Sentinelone
CVE-2023-23752: Joomla Authentication Bypass Vulnerability
blogs_sentinelone·2023-04-10·CVSS 5.3
CVE-2023-23752 [MEDIUM] CVE-2023-23752: Joomla Authentication Bypass Vulnerability
CVE-2023-23752 is an authentication bypass vulnerability that allows unauthenticated users to access sensitive information about Joomla! Installation. The vulnerability was found by Zewei Zhang from NSFOCUS TIANJI Lab on February 24, 2023, allowing unauthenticated users to access sensitive information about Joomla! Installation, and was assigned CVS 5.3 medium. It affects Joomla versions 4.0.0 to 4.2.7; the patch was released in version 4.2.8.
## CVE-2023-23752 Impact
Affected websites may suffer severe consequences due to this vulnerability. Attackers can exploit it to gain unauthorized access to web service endpoints, which may lead to the leakage of sensitive information such as usernames, passwords, and database names. Furthermore, there is speculation that attackers attempted to use
Sentinelone
OWASP Kubernetes Security: Top 10 Risks & Solutions
blogs_sentinelone·2023-04-06
OWASP Kubernetes Security: Top 10 Risks & Solutions
Kubernetes, a popular open-source container orchestration system, has gained popularity among enterprises for its ability to manage and automate large-scale containerized workloads . However, as with any technology, inherent security risks must be considered and addressed.
In this post, we explore the top ten Kubernetes security risks and provide recommendations for mitigating these risks.
## What is Kubernetes?
Kubernetes , commonly referred to as “K8s”, is a container orchestration system that automates the deployment, scaling, and management of containerized workloads. It was originally developed by Google and is now maintained by the Cloud Native Computing Foundation ( CNCF ).
Kubernetes is a powerful tool that offers self-healing, auto-scaling, and service discovery features. In a
https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.htmlhttps://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-23752
2023-02-16
Published
2024-01-08
Added to CISA KEV
Exploited in the wild