Version 3.7 of Joomla, pushed out less than a month ago, opens websites to SQL injection attacks, Sucury Security researchers have found.
As explained by researcher Marc-Alexandre Montpas: “The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site.”
The SQLi vulnerability (CVE-2017-8917) is easy to exploit, and can be exploited remotely.
“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen),” Montpas noted.
Joomla is the second-most widely used open source content management system in the world. While the number of sites powered by it is dwarfed by that of sites running on WordPress, it is still considerable.
“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now,” Montpas advised.