CVE-2017-8917 is a Joomla vulnerability just disclosed by Sucuri researchers. During regular search audits, the researchers discovered an SQL injection flaw affecting Joomla! 3.7. The flaw is easily exploitable as it doesn’t require a privileged account on the target’s site.
More about CVE-2017-8917
The flaw is triggered by a new component identified as com_fields, introduced in version 3.7. Admins that use this version of Joomla are at risk of an exploit and should update immediately. What is worse is that this component is publicly accessible, meaning that the bug can be used by anyone who visits the targeted Joomla site.
Furthermore, there are plenty of ways for such flaws to be exploited by attackers, such as leaking password hashes or hijacking logged-in users’ sessions. The second scenario could lead to a full compromise of the targeted website if an admin session is stolen, Sucuri explains.
The public-facing com_fields component borrows some views from the administrative side component of the same name. While this may sound like an odd thing to do, it serves a very practical purpose – it allows the reuse of generic code that was written for the other side, instead of writing it from scratch again.
Joomla Admins Should Upgrade Immediately
Since Joomla is one of the most popular open source CMS (content management system) this vulnerability should not be under-minded. One of the reasons to pay close attention to this flaw if you are a Joomla admin is that attackers often take advantage of how slowly administrators upgrade. The more time it takes for an admin to react, the better chance there is for a successful attack.
“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now,” Sucuri advises.
Both Joomla and WordPress sites often fall victims to attacks. In 2016, such sites were deployed in the distribution of a unique and smartly crafted attack.