Version 3.7 of Joomla, pushed out less than a month ago, opens websites to SQL injection attacks, Sucury Security researchers have found.
As explained by researcher Marc-Alexandre Montpas: “The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site.”
Sucuri has published technical details about the vulnerability on Wednesday, in the wake of the release of Joomla 3.7.1, which fixes this severe issue and several other bugs.
The SQLi vulnerability (CVE-2017-8917) is easy to exploit, and can be exploited remotely.
“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen),” Montpas noted.
Joomla is the second-most widely used open source content management system in the world. While the number of sites powered by it is dwarfed by that of sites running on WordPress, it is still considerable.
This popularity is a boon to attackers, who are quick to exploit public vulnerability information and the fact that many administrators are slow to upgrade, as evidenced many times before.
“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now,” Montpas advised.