1. Vulnerability Properties
Title: SQL Injection in JEvents Joomla Component
CVE ID: CVE-2015-7340
CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Products: JEvents (3.4.0RC5)
Advisory Release Date: 28 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7340
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>
2. Vulnerability Summary
JEvents component is vulnerable to SQL Injection on new events, inside the backoffice.
3. Technical Details
To replicate the issue go to:
- Administration > Components > JEvents > Manage Events > New
- Create an event and click on Save.
- Get the request and change the parameter evid to a value > 0 (this should be the future id of the event. If this is the first time creating the event 1 should be the value to insert).
- Note: Check if the parameter updaterepeats is 1, if not change it to 1.
With this we get the following response (as you can see on the response we broke the SQL query):
This corresponds on the code to: /joomla/administration/com_jevents/controllers/icalevent.php
Now we inject with our SQL query into the parameter evid:
And we get the response with the proof.
4. Vulnerable Versions
- JEvents (3.4.0RC5)
- Upgrade to JEvents 3.4.0 RC6 or latest version
6. Vulnerability Timeline
- September 01, 2015 — Bug reported to JEvents
- September 01, 2015 — JEvents team acknowledges the vulnerability
- September 02, 2015 —JEvents team releases a new version
- October 28, 2015 — Public disclosure