Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Newsletter Plugin for Joomla in the Enterprise version by AcyMailing

    CVE-2023-28733 (GCVE-0-2023-28733)

    Vulnerability from nvd – Published: 2023-03-30 11:27 – Updated: 2025-02-11 19:17
    VLAI
    Title
    Stored XSS affecting the AcyMailing plugin for Joomla
    Summary
    AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Date Public
    2023-03-30 10:00
    Credits
    Raphaël Arrouas (Xel) Bug Bounty Switzerland
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:37.319Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.acymailing.com/change-log/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bugbounty.ch/advisories/CVE-2023-28733"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28733",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-11T19:17:01.611706Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-11T19:17:17.402Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Newsletter Plugin for Joomla in the Enterprise version ",
              "vendor": "AcyMailing",
              "versions": [
                {
                  "lessThan": "8.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rapha\u00ebl Arrouas (Xel)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Bug Bounty Switzerland"
            }
          ],
          "datePublic": "2023-03-30T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign\u0027s creation on front-office. \u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects AnyMailing Joomla Plugin\u0026nbsp;Enterprise in versions below 8.3.0. \u003cbr\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign\u0027s creation on front-office. \n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            },
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-30T11:27:40.884Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://www.acymailing.com/change-log/"
            },
            {
              "url": "https://www.bugbounty.ch/advisories/CVE-2023-28733"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eupdate to a fixed version (\u0026gt;= 8.3.0)\u003c/p\u003e"
                }
              ],
              "value": "update to a fixed version (\u003e= 8.3.0)\n\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-02-06T11:00:00.000Z",
              "value": "Reported"
            },
            {
              "lang": "en",
              "time": "2023-03-09T11:00:00.000Z",
              "value": "Initial vendor notification"
            },
            {
              "lang": "en",
              "time": "2023-03-10T11:00:00.000Z",
              "value": "Initial vendor response"
            },
            {
              "lang": "en",
              "time": "2023-03-20T11:00:00.000Z",
              "value": "Releasion of fixed version"
            },
            {
              "lang": "en",
              "time": "2023-03-30T10:00:00.000Z",
              "value": "Coordinated public disclosure"
            }
          ],
          "title": "Stored XSS affecting the AcyMailing plugin for Joomla ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2023-28733",
        "datePublished": "2023-03-30T11:27:40.884Z",
        "dateReserved": "2023-03-22T09:53:07.889Z",
        "dateUpdated": "2025-02-11T19:17:17.402Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28731 (GCVE-0-2023-28731)

    Vulnerability from nvd – Published: 2023-03-30 11:25 – Updated: 2025-02-11 20:11
    VLAI
    Title
    Unauthenticated RCE affecting the AcyMailing plugin for Joomla
    Summary
    AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Date Public
    2023-03-30 10:00
    Credits
    Raphaël Arrouas (Xel) Bug Bounty Switzerland
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.737Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.acymailing.com/change-log/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28731",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-11T20:10:51.852642Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-11T20:11:00.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Newsletter Plugin for Joomla in the Enterprise version",
              "vendor": "AcyMailing",
              "versions": [
                {
                  "lessThan": "8.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rapha\u00ebl Arrouas (Xel)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Bug Bounty Switzerland"
            }
          ],
          "datePublic": "2023-03-30T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cp\u003eAnyMailing Joomla Plugin is vulnerable to\u0026nbsp;unauthenticated remote code execution,\u0026nbsp;when being granted access to the campaign\u0027s creation on front-office due to unrestricted file upload allowing PHP code to be injected. \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects AnyMailing Joomla Plugin\u0026nbsp;Enterprise in versions below 8.3.0. \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
                }
              ],
              "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign\u0027s creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-30T11:25:36.854Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://www.acymailing.com/change-log/"
            },
            {
              "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eupdate to a fixed version (\u0026gt;= 8.3.0)\u003c/p\u003e"
                }
              ],
              "value": "update to a fixed version (\u003e= 8.3.0)\n\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-02-01T11:00:00.000Z",
              "value": "Reported"
            },
            {
              "lang": "en",
              "time": "2023-03-09T11:00:00.000Z",
              "value": "Initial vendor notification "
            },
            {
              "lang": "en",
              "time": "2023-03-10T11:00:00.000Z",
              "value": "Initial vendor response   "
            },
            {
              "lang": "en",
              "time": "2023-03-20T11:00:00.000Z",
              "value": "Releasion of fixed version"
            },
            {
              "lang": "en",
              "time": "2023-03-30T10:00:00.000Z",
              "value": "Coordinated public disclosure "
            }
          ],
          "title": "Unauthenticated RCE affecting the AcyMailing plugin for Joomla",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003ePrevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\u003c/p\u003e"
                }
              ],
              "value": "Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\n\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2023-28731",
        "datePublished": "2023-03-30T11:25:36.854Z",
        "dateReserved": "2023-03-22T09:53:07.889Z",
        "dateUpdated": "2025-02-11T20:11:00.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28733 (GCVE-0-2023-28733)

    Vulnerability from cvelistv5 – Published: 2023-03-30 11:27 – Updated: 2025-02-11 19:17
    VLAI
    Title
    Stored XSS affecting the AcyMailing plugin for Joomla
    Summary
    AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Date Public
    2023-03-30 10:00
    Credits
    Raphaël Arrouas (Xel) Bug Bounty Switzerland
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:37.319Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.acymailing.com/change-log/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bugbounty.ch/advisories/CVE-2023-28733"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28733",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-11T19:17:01.611706Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-11T19:17:17.402Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Newsletter Plugin for Joomla in the Enterprise version ",
              "vendor": "AcyMailing",
              "versions": [
                {
                  "lessThan": "8.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rapha\u00ebl Arrouas (Xel)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Bug Bounty Switzerland"
            }
          ],
          "datePublic": "2023-03-30T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign\u0027s creation on front-office. \u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects AnyMailing Joomla Plugin\u0026nbsp;Enterprise in versions below 8.3.0. \u003cbr\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign\u0027s creation on front-office. \n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            },
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-30T11:27:40.884Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://www.acymailing.com/change-log/"
            },
            {
              "url": "https://www.bugbounty.ch/advisories/CVE-2023-28733"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eupdate to a fixed version (\u0026gt;= 8.3.0)\u003c/p\u003e"
                }
              ],
              "value": "update to a fixed version (\u003e= 8.3.0)\n\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-02-06T11:00:00.000Z",
              "value": "Reported"
            },
            {
              "lang": "en",
              "time": "2023-03-09T11:00:00.000Z",
              "value": "Initial vendor notification"
            },
            {
              "lang": "en",
              "time": "2023-03-10T11:00:00.000Z",
              "value": "Initial vendor response"
            },
            {
              "lang": "en",
              "time": "2023-03-20T11:00:00.000Z",
              "value": "Releasion of fixed version"
            },
            {
              "lang": "en",
              "time": "2023-03-30T10:00:00.000Z",
              "value": "Coordinated public disclosure"
            }
          ],
          "title": "Stored XSS affecting the AcyMailing plugin for Joomla ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2023-28733",
        "datePublished": "2023-03-30T11:27:40.884Z",
        "dateReserved": "2023-03-22T09:53:07.889Z",
        "dateUpdated": "2025-02-11T19:17:17.402Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28731 (GCVE-0-2023-28731)

    Vulnerability from cvelistv5 – Published: 2023-03-30 11:25 – Updated: 2025-02-11 20:11
    VLAI
    Title
    Unauthenticated RCE affecting the AcyMailing plugin for Joomla
    Summary
    AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Date Public
    2023-03-30 10:00
    Credits
    Raphaël Arrouas (Xel) Bug Bounty Switzerland
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.737Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.acymailing.com/change-log/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28731",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-11T20:10:51.852642Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-11T20:11:00.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Newsletter Plugin for Joomla in the Enterprise version",
              "vendor": "AcyMailing",
              "versions": [
                {
                  "lessThan": "8.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rapha\u00ebl Arrouas (Xel)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Bug Bounty Switzerland"
            }
          ],
          "datePublic": "2023-03-30T10:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cp\u003eAnyMailing Joomla Plugin is vulnerable to\u0026nbsp;unauthenticated remote code execution,\u0026nbsp;when being granted access to the campaign\u0027s creation on front-office due to unrestricted file upload allowing PHP code to be injected. \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects AnyMailing Joomla Plugin\u0026nbsp;Enterprise in versions below 8.3.0. \u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
                }
              ],
              "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign\u0027s creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-30T11:25:36.854Z",
            "orgId": "455daabc-a392-441d-aa46-37d35189897c",
            "shortName": "NCSC.ch"
          },
          "references": [
            {
              "url": "https://www.acymailing.com/change-log/"
            },
            {
              "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eupdate to a fixed version (\u0026gt;= 8.3.0)\u003c/p\u003e"
                }
              ],
              "value": "update to a fixed version (\u003e= 8.3.0)\n\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-02-01T11:00:00.000Z",
              "value": "Reported"
            },
            {
              "lang": "en",
              "time": "2023-03-09T11:00:00.000Z",
              "value": "Initial vendor notification "
            },
            {
              "lang": "en",
              "time": "2023-03-10T11:00:00.000Z",
              "value": "Initial vendor response   "
            },
            {
              "lang": "en",
              "time": "2023-03-20T11:00:00.000Z",
              "value": "Releasion of fixed version"
            },
            {
              "lang": "en",
              "time": "2023-03-30T10:00:00.000Z",
              "value": "Coordinated public disclosure "
            }
          ],
          "title": "Unauthenticated RCE affecting the AcyMailing plugin for Joomla",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003ePrevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\u003c/p\u003e"
                }
              ],
              "value": "Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\n\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
        "assignerShortName": "NCSC.ch",
        "cveId": "CVE-2023-28731",
        "datePublished": "2023-03-30T11:25:36.854Z",
        "dateReserved": "2023-03-22T09:53:07.889Z",
        "dateUpdated": "2025-02-11T20:11:00.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }