Vulnerability CVE-2015-7857


Published: 2015-10-29

Description:
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Joomla SQL Injection Vulnerability in Full Administrative Access *youtube
Trustwave
23.10.2015
Med.
Joomla Content History SQL Injection Remote Code Execution
xistence
21.11.2015
Med.
Joomla Content History SQL Injection Remote Code Execution
xistence
21.11.2015

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

Vendor: Joomla
Product: Joomla! 
Version:
3.4.4
3.4.3
3.4.2
3.4.1
3.4.0
3.3.4
3.3.3
3.3.2
3.3.1
3.3.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
http://packetstormsecurity.com/files/134097/Joomla-3.44-SQL-Injection.html
http://packetstormsecurity.com/files/134494/Joomla-Content-History-SQL-Injection-Remote-Code-Execution.html
http://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_contenthistory_sqli_rce
http://www.securityfocus.com/bid/77295
http://www.securitytracker.com/id/1033950
https://www.exploit-db.com/exploits/38797/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/

Related CVE
CVE-2018-15882
An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.
CVE-2018-15881
An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.
CVE-2018-15880
An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack.
CVE-2018-12712
An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local Fi...
CVE-2018-12711
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of...
CVE-2018-6378
In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager.
CVE-2018-11328
An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could...
CVE-2018-11327
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission.

Copyright 2018, cxsecurity.com

 

Back to Top