CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
71.8%
According to its self-reported version number, the Joomla! installation running on the remote web server is prior to 3.7.0. It is, therefore, affected by multiple vulnerabilities :
A flaw exists in the JMail API due to PHPMail version information being included in mail headers. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7983)
A cross-site scripting (XSS) vulnerability exists in the template manager component due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-7984)
A cross-site scripting (XSS) vulnerability exists in unspecified components when handling multibyte characters due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-7985)
A cross-site scripting (XSS) vulnerability exists in unspecified components when handling certain HTML attributes due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-7986)
A cross-site scripting (XSS) vulnerability exists in the template manager component due to inadequate escaping of file and folder name input before returning it to users.
An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-7987)
A flaw exists due to improper sanitization of form content that allows an unauthenticated, remote attacker to overwrite the author of articles. (CVE-2017-7988)
A flaw exists in MIME type checking that allows an authenticated, remote attacker with low privileges to upload SWF files even if this action is not allowed for the privilege level. (CVE-2017-7989)
Multiple unspecified files exist that allow an unauthenticated, remote attacker to disclose the software’s installation path on systems that have error reporting enabled. (CVE-2017-8057)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(99691);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id(
"CVE-2017-7983",
"CVE-2017-7984",
"CVE-2017-7985",
"CVE-2017-7986",
"CVE-2017-7987",
"CVE-2017-7988",
"CVE-2017-7989",
"CVE-2017-8057"
);
script_bugtraq_id(
98016,
98018,
98020,
98021,
98022,
98024,
98028,
98029
);
script_name(english:"Joomla! < 3.7.0 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Joomla!
installation running on the remote web server is prior to 3.7.0. It
is, therefore, affected by multiple vulnerabilities :
- A flaw exists in the JMail API due to PHPMail version
information being included in mail headers. An
unauthenticated, remote attacker can exploit this to
disclose sensitive information. (CVE-2017-7983)
- A cross-site scripting (XSS) vulnerability exists in the
template manager component due to improper validation of
input before returning it to users. An unauthenticated,
remote attacker can exploit this, via a specially
crafted request, to execute arbitrary script code in a
user's browser session. (CVE-2017-7984)
- A cross-site scripting (XSS) vulnerability exists in
unspecified components when handling multibyte
characters due to improper validation of input before
returning it to users. An unauthenticated, remote
attacker can exploit this, via a specially crafted
request, to execute arbitrary script code in a user's
browser session. (CVE-2017-7985)
- A cross-site scripting (XSS) vulnerability exists in
unspecified components when handling certain HTML
attributes due to improper validation of input before
returning it to users. An unauthenticated, remote
attacker can exploit this, via a specially crafted
request, to execute arbitrary script code in a user's
browser session. (CVE-2017-7986)
- A cross-site scripting (XSS) vulnerability exists in the
template manager component due to inadequate escaping of
file and folder name input before returning it to users.
An unauthenticated, remote attacker can exploit this,
via a specially crafted request, to execute arbitrary
script code in a user's browser session. (CVE-2017-7987)
- A flaw exists due to improper sanitization of form
content that allows an unauthenticated, remote attacker
to overwrite the author of articles. (CVE-2017-7988)
- A flaw exists in MIME type checking that allows an
authenticated, remote attacker with low privileges to
upload SWF files even if this action is not allowed for
the privilege level. (CVE-2017-7989)
- Multiple unspecified files exist that allow an
unauthenticated, remote attacker to disclose the
software's installation path on systems that have error
reporting enabled. (CVE-2017-8057)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
# https://www.joomla.org/announcements/release-news/5703-joomla-3-7-is-here.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a262ee37");
# https://developer.joomla.org/security-centre/683-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ffb84a56");
# https://developer.joomla.org/security-centre/684-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8273195b");
# https://developer.joomla.org/security-centre/685-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?14221e7d");
# https://developer.joomla.org/security-centre/686-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e4788626");
# https://developer.joomla.org/security-centre/687-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6ae9552b");
# https://developer.joomla.org/security-centre/688-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4582c692");
# https://developer.joomla.org/security-centre/689-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dfc484cb");
# https://developer.joomla.org/security-centre/690-core-information-disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e30be839");
script_set_attribute(attribute:"solution", value:
"Upgrade to Joomla! version 3.7.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8057");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/25");
script_set_attribute(attribute:"patch_publication_date", value:"2017/04/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/26");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("joomla_detect.nasl");
script_require_keys("installed_sw/Joomla!", "www/PHP", "Settings/ParanoidReport");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("http.inc");
include("vcf.inc");
port = get_http_port(default:80, php:TRUE);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
app_info = vcf::get_app_info(app:"Joomla!", port:port);
vcf::check_granularity(app_info:app_info, sig_segments:3);
constraints = [
{ "min_version" : "1.5.0", "max_version" : "3.6.5", "fixed_version" : "3.7.0" }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{xss:true});
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7983
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7984
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7985
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7986
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7987
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7988
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7989
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8057
www.nessus.org/u?14221e7d
www.nessus.org/u?4582c692
www.nessus.org/u?6ae9552b
www.nessus.org/u?8273195b
www.nessus.org/u?a262ee37
www.nessus.org/u?dfc484cb
www.nessus.org/u?e30be839
www.nessus.org/u?e4788626
www.nessus.org/u?ffb84a56
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
71.8%