-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PRP: CVE-2023-23752 Joomla Improper AccessCheck in WebService Endpoint #276
Comments
Hi @amammad, Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development. Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have. Thanks! |
Hi, this vulnerability can lead to RCE (from externally exposed MySQL servers) |
Thanks for the follow up, I will start reviewing the pull request this week! |
CC for @tooryx |
Hi @am0o0, Unfortunately it seems like copybara[bot] wrongly flagged the PR as merged when I merged the confluence one, but its review is not complete. Please bear with us, we will continue the review of this plugin after the holiday season. Apologies for the misbehavior here. ~tooryx |
Hi @am0o0, I have labeled your other issues as "Contributor queue" for now. We are enforcing more strictly the one review per contributor as we cannot keep up with review otherwise. We will review this plugin and then dequeue the other ones progressively. If you would rather prioritize one of your other contributions instead, let me know. If you think I incorrectly labeled one of the issues, please let me know. |
Hi, I'd like to write a plugin for CVE-2023-23752 which is a critical and emergent vulnerability ( Released two days ago) .
Reference:
full report and explanations of this CVE
CVE Page
Description:
from Reference
Note that Tsunami can detect this vulnerability as it is a simple get request with following path
/api/index.php/v1/config/application?public=true
, detector should get a 200 status code and check some JSON fields.The text was updated successfully, but these errors were encountered: