A vulnerability testing specialist just revealed a zero-day vulnerability in versions of Joomla, the popular content management system (CMS) launched between September 2012 and December 2015. The vulnerability could reportedly pose a severe risk to thousands of websites worldwide.
This flaw may seem too old, but in the case of Joomla! this might be irrelevant, as most website administrators who use this CMS do not usually update the software for various reasons, mainly due to the compatibility issues that many plugins present when updating this to further versions.
According to vulnerability testing specialists, exploiting this security flaw is really simple for an average hacker, as only one PHP code injection is enough on the CMS home page to enable the threat actor to be able to execute code remote on the server.
A larger report, published on the specialized platform ZDNet, mentions that this vulnerability is very similar to the flaw identified as CVE-2015-8562, discovered in 2015. Back then the vulnerability caused serious problems on thousands of websites around the world.
However, there is a decisive difference between the two flaws. The newly discovered zero-day vulnerability only affects 3.x branch versions, while CVE-2015-8562 affected all versions of Joomla! from 1.5x, so the scope of the new fault is much smaller.
Joomla! it has already been notified and apparently the security patch for this flaw is already available. However, as already mentioned, it could be difficult for all website administrators in Joomla! decide to update their deployments as soon as possible.
According to vulnerability testing specialists at the International Institute of Cyber Security (IICS), outdated CMS can pose serious security issues for website administrators. A couple of months ago a website exploitation campaign was reported in WordPress involving abuse of outdated plugins, so the CMS and the developers of these tools had to work against the clock to fix the flaws before they exploited.