Lucene search

[email protected]CVE-2023-28731

HistoryMar 30, 2023 - 12:15 p.m.

CVE-2023-28731

2023-03-3012:15:07

CWE-434

CWE-20

[email protected]

web.nvd.nist.gov

cve-2023-28731

anymailing

joomla plugin

vulnerability

unauthenticated

remote code execution

file upload

php code injection

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.7%

JSON

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office due to unrestricted file upload allowing PHP code to be injected.

This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

Affected configurations

NVD

Node

acymailingacymailingRange<8.3.0joomla\!

CPENameOperatorVersion
acymailing:acymailingacymailinglt8.3.0

CPE	Name	Operator	Version
acymailing:acymailing	acymailing	lt	8.3.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Newsletter Plugin for Joomla in the Enterprise version",
    "vendor": "AcyMailing",
    "versions": [
      {
        "lessThan": "8.3.0",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]

References

www.acymailing.com/change-log/

www.bugbounty.ch/advisories/CVE-2023-28731

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.7%

JSON

Related for CVE-2023-28731

nvd1 cvelist1 prion1