A vulnerability testing specialist just revealed a zero-day vulnerability in versions of Joomla, the popular content management system (CMS) launched between September 2012 and December 2015. The vulnerability could reportedly pose a severe risk to thousands of websites worldwide.
This flaw may seem too old, but in the case of
Joomla! this might be irrelevant, as most website administrators who use this
CMS do not usually update the software for various reasons, mainly due to the
compatibility issues that many plugins present when updating this to further
versions.
According to vulnerability testing specialists,
exploiting this security flaw is really simple for an average hacker, as only
one PHP code injection is enough on the CMS home page to enable the threat actor
to be able to execute code remote on the server.
A larger report, published on the specialized platform
ZDNet, mentions that this vulnerability is very similar to the flaw identified
as CVE-2015-8562, discovered in 2015. Back then the vulnerability caused
serious problems on thousands of websites around the world.
However, there is a decisive difference between
the two flaws. The newly discovered zero-day vulnerability only affects 3.x
branch versions, while CVE-2015-8562 affected all versions of Joomla! from
1.5x, so the scope of the new fault is much smaller.
Joomla! it has already been notified and
apparently the security patch for this flaw is already available. However, as
already mentioned, it could be difficult for all website administrators in
Joomla! decide to update their deployments as soon as possible.
According to vulnerability testing specialists
at the International Institute of Cyber Security (IICS), outdated CMS can pose
serious security issues for website administrators. A couple of months ago a
website exploitation campaign was reported in WordPress
involving abuse of outdated plugins, so the CMS and the developers of these
tools had to work against the clock to fix the flaws before they exploited.
