CVE-2023-28731 - OpenCVE

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Acymailing	Acymailing

Configuration 1 [-]

cpe:2.3:a:acymailing:acymailing:*:*:*:*:*:joomla\!:*:*

References

Link	Resource
https://www.acymailing.com/change-log/	Release Notes
https://www.bugbounty.ch/advisories/CVE-2023-28731	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2023-03-30T11:25:36.854Z

Updated: 2023-03-30T11:25:36.854Z

Reserved: 2023-03-22T09:53:07.889Z

Link: CVE-2023-28731

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-30T12:15:07.573

Modified: 2023-11-07T04:10:50.250

Link: CVE-2023-28731

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-28731", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2023-03-22T09:53:07.889Z", "datePublished": "2023-03-30T11:25:36.854Z", "dateUpdated": "2023-03-30T11:25:36.854Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Newsletter Plugin for Joomla in the Enterprise version", "vendor": "AcyMailing", "versions": [{"lessThan": "8.3.0", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rapha\u00ebl Arrouas (Xel)"}, {"lang": "en", "type": "coordinator", "user": "00000000-0000-4000-9000-000000000000", "value": "Bug Bounty Switzerland"}], "datePublic": "2023-03-30T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p>AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. </p></div><div><p>This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0. </p></div><div></div><div><div></div></div><br>"}], "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2023-03-30T11:25:36.854Z"}, "references": [{"url": "https://www.acymailing.com/change-log/"}, {"url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>update to a fixed version (>= 8.3.0)</p>"}], "value": "update to a fixed version (>= 8.3.0)\n\n"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-02-01T11:00:00.000Z", "value": "Reported"}, {"lang": "en", "time": "2023-03-09T11:00:00.000Z", "value": "Initial vendor notification "}, {"lang": "en", "time": "2023-03-10T11:00:00.000Z", "value": "Initial vendor response "}, {"lang": "en", "time": "2023-03-20T11:00:00.000Z", "value": "Releasion of fixed version"}, {"lang": "en", "time": "2023-03-30T10:00:00.000Z", "value": "Coordinated public disclosure "}], "title": "Unauthenticated RCE affecting the AcyMailing plugin for Joomla", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed</p>"}], "value": "Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acymailing:acymailing:*:*:*:*:*:joomla\\!:*:*", "matchCriteriaId": "42A293DB-98EF-464D-BF05-6E47C6EED94C", "versionEndExcluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n"}], "id": "CVE-2023-28731", "lastModified": "2023-11-07T04:10:50.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2023-03-30T12:15:07.573", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Release Notes"], "url": "https://www.acymailing.com/change-log/"}, {"source": "vulnerability@ncsc.ch", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-434"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}