Zero-Day Issued for Old CMS – Online Proof-of-Concept Code Available


Zero Trust Architecture and its Relevance in Cybersecurity

Reports of a flaw in older versions of the Joomla content management system (CMS), a common web-based software for the creation and management of websites, was posted online last week.

The bug has been discovered by Hacktive Security Italian security researcher Alessandro Groppo. It affects all versions of Joomla released from late September 2012 to mid-December 2015 from 3.0.0 to 3.4.6.

The vulnerability is easy to exploit and the code of attack proof of concept was published online.
It is a PHP object injection that, within certain situations, can lead to remote code execution (RCE). For example, it can be used through the Joomla CMS login form which allows attackers to execute code on the underlying database of the web.

Read more…