CVE-2015-7340 SQL Injection in JEvents Joomla Component

1. Vulnerability Properties

Title: SQL Injection in JEvents Joomla Component
CVE ID: CVE-2015-7340
CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Vendor: JEvents
Products: JEvents (3.4.0RC5)
Advisory Release Date: 28 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7340
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

JEvents component is vulnerable to SQL Injection on new events, inside the backoffice.

3. Technical Details

To replicate the issue go to:

  • Administration > Components > JEvents > Manage Events > New

1

  • Create an event and click on Save.
  • Get the request and change the parameter evid to a value > 0 (this should be the future id of the event. If this is the first time creating the event 1 should be the value to insert).
  • Note: Check if the parameter updaterepeats is 1, if not change it to 1.

2

With this we get the following response (as you can see on the response we broke the SQL query):

3

This corresponds on the code to: /joomla/administration/com_jevents/controllers/icalevent.php

4

Now we inject with our SQL query into the parameter evid:

5

And we get the response with the proof.

6

4. Vulnerable Versions

  • JEvents (3.4.0RC5)

5. Solution

  • Upgrade to JEvents 3.4.0 RC6 or latest version

6. Vulnerability Timeline

  • September 01, 2015 — Bug reported to JEvents
  • September 01, 2015 — JEvents team acknowledges the vulnerability
  • September 02, 2015 —JEvents team releases a new version
  • October 28, 2015 — Public disclosure

7. References

  • https://www.jevents.net/download-area/jevents/item/jevents-3-4