Home > Cyber News > CVE-2017-8917 – Easily Exploitable Joomla SQL Flaw

CVE-2017-8917 – Easily Exploitable Joomla SQL Flaw

CVE-2017-8917 is a Joomla vulnerability just disclosed by Sucuri researchers. During regular search audits, the researchers discovered an SQL injection flaw affecting Joomla! 3.7. The flaw is easily exploitable as it doesn’t require a privileged account on the target’s site.

Related Story: WordPress Bug Bounty Program Interested in XSS, RCE, SQL Flaws

More about CVE-2017-8917

The flaw is triggered by a new component identified as com_fields, introduced in version 3.7. Admins that use this version of Joomla are at risk of an exploit and should update immediately. What is worse is that this component is publicly accessible, meaning that the bug can be used by anyone who visits the targeted Joomla site.

Furthermore, there are plenty of ways for such flaws to be exploited by attackers, such as leaking password hashes or hijacking logged-in users’ sessions. The second scenario could lead to a full compromise of the targeted website if an admin session is stolen, Sucuri explains.

The public-facing com_fields component borrows some views from the administrative side component of the same name. While this may sound like an odd thing to do, it serves a very practical purpose – it allows the reuse of generic code that was written for the other side, instead of writing it from scratch again.

Joomla Admins Should Upgrade Immediately

Since Joomla is one of the most popular open source CMS (content management system) this vulnerability should not be under-minded. One of the reasons to pay close attention to this flaw if you are a Joomla admin is that attackers often take advantage of how slowly administrators upgrade. The more time it takes for an admin to react, the better chance there is for a successful attack.

This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now,” Sucuri advises.

Both Joomla and WordPress sites often fall victims to attacks. In 2016, such sites were deployed in the distribution of a unique and smartly crafted attack.

Related Story: Vulnerable WordPress Plugin Could Cause Severe Attacks

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree