Advisory CVE-2023-28731, Unauthenticated RCE affecting the AcyMailing plugin for Joomla
CVE ID: CVE-2023-28731
Vendor: AcyMailing
Product: Newsletter Plugin for Joomla in the Enterprise version
Title: Unauthenticated RCE affecting the AcyMailing plugin for Joomla
Vulnerable Versions: < 8.3.0
Problem Type (CWE):
- CWE-20 Improper Input Validation
- CWE-434 Unrestricted Upload of File with Dangerous Type
Impacts (CAPEC): CAPEC-242 Code Injection
CVSS 3.1:
- 9.8 Critical
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
CVE Description:
Introduction:
AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress.
The vulnerability:
Unrestricted upload of files allows PHP code to be injected, leading to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office.
This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.
The steps to exploit the vulnerability:
- Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated
- Editing an AcyMailing template and initiate sending a test email
- One of the resulting requests sent to the plugin sets a thumbnail, this request can be manipulated and accepts PHP code, which gets stored on the system
- The resulting PHP file is accessible and enables execution of the injected code
How to check for exploitation:
- The thumbnails are stored in the following location: /media/com_acym/images/thumbnails/
- Signs of a successful exploitation would be the presence of PHP files in this directory
- Check for suspicious POST requests similar to “/index.php?option=com_acym&tmpl=component&4f0877f7c82462a794cb5a042282dbf0=1&ctrl=frontmails&task=setNewThumbnail”
Solution:
- update to a fixed version (>= 8.3.0)
Workaround:
- Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed
Timeline:
- 2023-02-01: reported
- 2023-03-09: initial vendor notification
- 2023-03-10: initial vendor response
- 2023-03-20: release of fixed version
- 2023-03-30: coordinated public disclosure
Credits:
- Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland
- Coordinator: Bug Bounty Switzerland