Joomla Unauthorized Access Vulnerability – CVE-2023-23752

Posted on

Vulnerable Version

4.0.0 <= Joomla <= 4.2.7

Fixed Version

Joomla 4.4.9

Base Score

5.3 Medium                                                                        

Vendor Description:-

It’s a free and open-source content management system (CMS) for publishing web content on websites.
Web content applications include discussion forums, photo galleries, e-commerce and user
communities, and numerous other web-based applications. Joomla is developed by a community o
volunteers supported with the legal, organizational, and financial resources of Open Source Matters, Inc.

CVE-2023-23752 Vulnerability Discription:-

Joomla is vulnerable to CVE-2023-23752, an Improper Access Execution vulnerability in the
/api/index.php/v1/config/application, /joomla/api/v1/config/application?public=true,
/api/index.php/v1/config/application?public=true, /api/v1/config/application?public=true endpoints of
the Joomla server. The public parameter of the vulnerable endpoint allows an attacker to access the
Joomla-related configuration information which eventually leads to the disclosure of sensitive
information such as database username and password.

Impact:

Exposure of Sensitive Data: An attacker can exploit the improperly secured API endpoint to
retrieve confidential user data, including usernames, email addresses, and hashed passwords.

Increased Risk of Credential-Based Attacks: With access to user information, attackers may:

  1. Attempt credential stuffing attacks using leaked credentials.
  2. Perform brute force attacks on exposed accounts if password policies are weak.

Compromise of Other Services: If users reuse passwords across platforms, attackers may gain
unauthorized access to other applications or systems.

Mitigation
At present, the official security version has been released to fix this vulnerability. It is recommended that
affected users upgrade their protection in time:
https://downloads.joomla.org/
Restrict API access to trusted networks or authenticated users where possible.

POC

Exploit for CVE-2023-23752

ruby exploit.rb http://127.0.0.1:4242

Exploit link:- Click me

image 1

CVE-2023-23752 to Code Execution

http:///api/index.php/v1/users?public=true

image 4

The database output contains usernames, emails, and assigned group (e.g. Super Users). This should be enough for credential stuffing or brute forcing to achieve Super User access. Some bad administrators might even reuse the MySQL password for the Super User account. Either way, this additional leak has the added benefit of not relying on MySQL being reachable. Once Super User access is achieved, the attacker can follow the previously discussed paths to code execution.

POC Video:-

References:-

https://github.com/Acceis/exploit-CVE-2023-23752
https://vulncheck.com/blog/joomla-for-rce

Leave a Reply

Your email address will not be published. Required fields are marked *