Advisory CVE-2023-28731, Unauthenticated RCE affecting the AcyMailing plugin for Joomla

CVE ID: CVE-2023-28731 

Vendor: AcyMailing 

Product: Newsletter Plugin for Joomla in the Enterprise version 

Title: Unauthenticated RCE affecting the AcyMailing plugin for Joomla 

Vulnerable Versions: < 8.3.0 

Problem Type (CWE):  

• CWE-20 Improper Input Validation 
• CWE-434 Unrestricted Upload of File with Dangerous Type 

Impacts (CAPEC): CAPEC-242 Code Injection 

CVSS 3.1:  

• 9.8 Critical 
• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

References:  

• https://www.acymailing.com/change-log/  

• https://www.bugbounty.ch/advisories/CVE-2023-28731  

CVE Description: 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Unrestricted upload of files allows PHP code to be injected, leading to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

• Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
• Editing an AcyMailing template and initiate sending a test email 
• One of the resulting requests sent to the plugin sets a thumbnail, this request can be manipulated and accepts PHP code, which gets stored on the system 
• The resulting PHP file is accessible and enables execution of the injected code 

How to check for exploitation: 

• The thumbnails are stored in the following location: /media/com_acym/images/thumbnails/ 
• Signs of a successful exploitation would be the presence of PHP files in this directory 
• Check for suspicious POST requests similar to “/index.php?option=com_acym&tmpl=component&4f0877f7c82462a794cb5a042282dbf0=1&ctrl=frontmails&task=setNewThumbnail” 

Solution: 

• update to a fixed version (>= 8.3.0) 

Workaround: 

• Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed 

Timeline: 

• 2023-02-01: reported 
• 2023-03-09: initial vendor notification 
• 2023-03-10: initial vendor response 
• 2023-03-20: release of fixed version 
• 2023-03-30: coordinated public disclosure 

Credits: 

• Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
• Coordinator: Bug Bounty Switzerland