Vulnerabilities have been discovered in Joomla versions 3.0 through 3.4.4. Joomla is a popular open-source Content Management System (CMS). The SQL injection vulnerability enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.
- Joomla CMS versions 3.0.0 through 3.4.4
Vulnerabilities have been discovered in Joomla versions 3.0 through 3.4.4. The details are as follows:
- Inadequate filtering of request data leads to a SQL Injection vulnerability. CVE-2015-7297, CVE-2015-7857, CVE-2015-7858
- Inadequate ACL checks in com_contenthistory provide potential read access to data which should be access restricted. CVE-2015-7859
- Inadequate ACL checks in com_content provide potential read access to data which should be access restricted. CVE-2015-7899
- Update vulnerable systems running Joomla immediately after appropriate testing.
- Deploy NIDS to detect and block attacks and anomalous activity such as crafted requests containing suspicious URI sequences.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.