CVE-2015-7340 SQL Injection in JEvents Joomla Component
1. Vulnerability Properties
Title: SQL Injection in JEvents Joomla Component CVE ID: CVE-2015-7340 CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L) Vendor: JEvents Products: JEvents (3.4.0RC5) Advisory Release Date: 28 October 2015 Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7340 Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>
2. Vulnerability Summary
JEvents component is vulnerable to SQL Injection on new events, inside the backoffice.
3. Technical Details
To replicate the issue go to:
Administration > Components > JEvents > Manage Events > New
Create an event and click on Save.
Get the request and change the parameter evid to a value > 0 (this should be the future id of the event. If this is the first time creating the event 1 should be the value to insert).
Note: Check if the parameter updaterepeats is 1, if not change it to 1.
With this we get the following response (as you can see on the response we broke the SQL query):
This corresponds on the code to: /joomla/administration/com_jevents/controllers/icalevent.php
Now we inject with our SQL query into the parameter evid:
And we get the response with the proof.
4. Vulnerable Versions
JEvents (3.4.0RC5)
5. Solution
Upgrade to JEvents 3.4.0 RC6 or latest version
6. Vulnerability Timeline
September 01, 2015 — Bug reported to JEvents
September 01, 2015 — JEvents team acknowledges the vulnerability
September 02, 2015 —JEvents team releases a new version