Advisory CVE-2023-28732, Missing access control affecting the AcyMailing plugin for Joomla
CVE ID: CVE-2023-28732
Vendor: AcyMailing
Product: Newsletter Plugin for Joomla
Title: Missing access control affecting the AcyMailing plugin for Joomla
Vulnerable Versions: < 8.3.0
Problem Type (CWE):
- CWE-20 Improper Input Validation
- CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Impacts (CAPEC):
- CAPEC-115 Authentication Bypass
- CAPEC-126 Path Traversal
CVSS 3.1:
- 6.5 Medium
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Source Repository (OSS): https://github.com/acyba/acymailing/
References:
- https://www.acymailing.com/change-log/
- https://github.com/acyba/acymailing/releases/tag/v8.3.0
- https://www.bugbounty.ch/advisories/CVE-2023-28732
CVE Description:
Introduction:
AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress.
The vulnerability:
Missing access control allows to list and access files containing sensitive information from the plugin itself and access to system files due to path traversal, when being granted access to the campaign’s creation on front-office.
This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.
The steps to exploit the vulnerability:
- Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated
- Manipulate the URL to list and get access to the logs of the plugin itself, leaking PII of users
- Manipulate the URL to list and get access to system files (e.g. in the root directory of Joomla). Only allowed file-types can be listed and accessed
- Upload arbitrary files. Only allowed file-types can be uploaded
How to check for exploitation:
- Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com_acym/upload/logs” or suspicious access to files in “/media/com_acym/upload/logs/”
- Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com_acym/upload/logs/../../../..” or suspicious access to allowed file-types on the entire system accessible by the user of the webserver
- Check for suspicious files uploaded in /media/com_acym/upload/
- Default allowed file-types are: zip, doc, docx, pdf, xls, txt, gzip, rar, jpg, jpeg, gif, xlsx, pps, csv, bmp, ico, odg, odp, ods, odt, png, ppt, swf, xcf, mp3, wma
Solution:
- update to a fixed version (>= 8.3.0)
Timeline:
- 2023-02-01: reported
- 2023-03-09: initial vendor notification
- 2023-03-10: initial vendor response
- 2023-03-20: release of fixed version
- 2023-03-30: coordinated public disclosure
Credits:
- Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland
- Coordinator: Bug Bounty Switzerland