CVE-2015-7340 - SQL Injection in JEvents Joomla Component

1 minute read

1. Vulnerability Properties

  • Title: SQL Injection in JEvents Joomla Component
  • CVE ID: CVE-2015-7340
  • CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
  • Vendor: JEvents
  • Products: JEvents (3.4.0RC5)
  • Advisory Release Date: 28 October 2015
  • Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7340
  • Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

JEvents component is vulnerable to SQL Injection on new events, inside the backoffice.

3. Technical Details

To replicate the issue go to:

Administration > Components > JEvents > Manage Events > New

image1

  • Create an event and click on Save.
  • Get the request and change the parameter evid to a value > 0 (this should be the future id of the event. If this is the first time creating the event 1 should be the value to insert).
  • Note: Check if the parameter updaterepeats is 1, if not change it to 1.

image2

With this we get the following response (as you can see on the response we broke the SQL query):

image3

This corresponds on the code to: /joomla/administration/com_jevents/controllers/icalevent.php

image4

Now we inject with our SQL query into the parameter evid:

image5

And we get the response with the proof.

image6

4. Vulnerable Versions

  • JEvents (3.4.0RC5)

5. Solution

  • Upgrade to JEvents 3.4.0 RC6 or latest version

6. Vulnerability Timeline

  • September 01, 2015 — Bug reported to JEvents
  • September 01, 2015 — JEvents team acknowledges the vulnerability
  • September 02, 2015 — JEvents team releases a new version
  • October 28, 2015 — Public disclosure

7. References

Categories:

Updated: