The Thursday release of Joomla 3.4.5 addresses a critical SQL injection vulnerability impacting multiple versions of the popular content management system (CMS), as well as two other bugs deemed moderate in severity.
The SQL injection vulnerability affects websites running Joomla 3.2.0 through 3.4.4 and is the result of inadequate filtering of request data, an advisory said, crediting Asaf Orpani of Trustwave and Netanel Rubin of PerimeterX with identifying the issue.
CVE-2015-7297, CVE-2015-7857, CVE-2015-7858 encompass the SQL injection issue.
According to a Trustwave post, CVE-2015-7857 “enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.”
CVE-2015-7858 and CVE-2015-7297 are related bugs that were identified by Orpani as part of his research, the post noted. The SQL injection issue exists in a core module that does not require any extensions, so all websites running affected Joomla versions are at risk of being targeted.
In a Thursday blog post, Daniel Cid, CTO of Sucuri, wrote that he expects attacks targeting the vulnerability to come soon. He said that the bug is easy to exploit and – due to the popularity of Joomla – will likely lead to a large number of compromised websites.
The two moderate bugs are ACL violation vulnerabilities, both of which provide potential read access to data that should be access restricted, two separate advisories said.
Websites running Joomla 3.2.0 through 3.4.4 are affected by CVE-2015-7859, which is the result of inadequate ACL checks in com_contenthistory, and sites running Joomla 3.0.0 through 3.4.4 are vulnerable to CVE-2015-7899, which is the result of inadequate ACL checks in com_content.