Advisory CVE-2023-28732, Missing access control affecting the AcyMailing plugin for Joomla

CVE ID: CVE-2023-28732

Vendor: AcyMailing

Product: Newsletter Plugin for Joomla

Title: Missing access control affecting the AcyMailing plugin for Joomla

Vulnerable Versions: < 8.3.0

Problem Type (CWE):

CWE-20 Improper Input Validation
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Impacts (CAPEC):

CAPEC-115 Authentication Bypass
CAPEC-126 Path Traversal

CVSS 3.1:

6.5 Medium
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Source Repository (OSS): https://github.com/acyba/acymailing/

References:

CVE Description:

Introduction:

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress.

The vulnerability:

Missing access control allows to list and access files containing sensitive information from the plugin itself and access to system files due to path traversal, when being granted access to the campaign’s creation on front-office.

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

The steps to exploit the vulnerability:

Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated
Manipulate the URL to list and get access to the logs of the plugin itself, leaking PII of users
Manipulate the URL to list and get access to system files (e.g. in the root directory of Joomla). Only allowed file-types can be listed and accessed
Upload arbitrary files. Only allowed file-types can be uploaded

How to check for exploitation:

Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com_acym/upload/logs” or suspicious access to files in “/media/com_acym/upload/logs/”
Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com_acym/upload/logs/../../../..” or suspicious access to allowed file-types on the entire system accessible by the user of the webserver
Check for suspicious files uploaded in /media/com_acym/upload/
Default allowed file-types are: zip, doc, docx, pdf, xls, txt, gzip, rar, jpg, jpeg, gif, xlsx, pps, csv, bmp, ico, odg, odp, ods, odt, png, ppt, swf, xcf, mp3, wma

Solution:

update to a fixed version (>= 8.3.0)

Timeline:

2023-02-01: reported
2023-03-09: initial vendor notification
2023-03-10: initial vendor response
2023-03-20: release of fixed version
2023-03-30: coordinated public disclosure

Credits:

Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland
Coordinator: Bug Bounty Switzerland

Cookie	Dauer	Beschreibung
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.