CVE-2023-28731 - Vulnerability Details - OpenCVE

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected.

This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0291.

Exploitation none

Automatable yes

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AcyMailing

Newsletter Plugin for Joomla in the Enterprise version

unaffected

Version	Status	Constraints
`0`	affected	< 8.3.0

Configuration 1 [-]

cpe:2.3:a:acymailing:acymailing:*:*:*:*:*:joomla\!:*:*

No data.

No data.

Project Subscriptions

Vendors	Products
Acymailing Subscribe	Acymailing Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2023-32369	AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

Fixes

Solution

update to a fixed version (>= 8.3.0)

Workaround

Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed

References

Link	Providers
https://www.acymailing.com/change-log/
https://www.bugbounty.ch/advisories/CVE-2023-28731

History

Tue, 11 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2023-03-30T11:25:36.854Z

Updated: 2025-02-11T20:11:00.208Z

Reserved: 2023-03-22T09:53:07.889Z

Link: CVE-2023-28731

Vulnrichment

Updated: 2024-08-02T13:43:23.737Z

NVD

Status : Modified

Published: 2023-03-30T12:15:07.573

Modified: 2024-11-21T07:55:53.507

Link: CVE-2023-28731

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28731", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2023-03-22T09:53:07.889Z", "datePublished": "2023-03-30T11:25:36.854Z", "dateUpdated": "2025-02-11T20:11:00.208Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Newsletter Plugin for Joomla in the Enterprise version", "vendor": "AcyMailing", "versions": [{"lessThan": "8.3.0", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rapha\u00ebl Arrouas (Xel)"}, {"lang": "en", "type": "coordinator", "user": "00000000-0000-4000-9000-000000000000", "value": "Bug Bounty Switzerland"}], "datePublic": "2023-03-30T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p>AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. </p></div><div><p>This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0. </p></div><div></div><div><div></div></div><br>"}], "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2023-03-30T11:25:36.854Z"}, "references": [{"url": "https://www.acymailing.com/change-log/"}, {"url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>update to a fixed version (>= 8.3.0)</p>"}], "value": "update to a fixed version (>= 8.3.0)\n\n"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-02-01T11:00:00.000Z", "value": "Reported"}, {"lang": "en", "time": "2023-03-09T11:00:00.000Z", "value": "Initial vendor notification "}, {"lang": "en", "time": "2023-03-10T11:00:00.000Z", "value": "Initial vendor response "}, {"lang": "en", "time": "2023-03-20T11:00:00.000Z", "value": "Releasion of fixed version"}, {"lang": "en", "time": "2023-03-30T10:00:00.000Z", "value": "Coordinated public disclosure "}], "title": "Unauthenticated RCE affecting the AcyMailing plugin for Joomla", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed</p>"}], "value": "Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:43:23.737Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.acymailing.com/change-log/", "tags": ["x_transferred"]}, {"url": "https://www.bugbounty.ch/advisories/CVE-2023-28731", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T20:10:51.852642Z", "id": "CVE-2023-28731", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T20:11:00.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.acymailing.com/change-log/", "tags": ["x_transferred"]}, {"url": "https://www.bugbounty.ch/advisories/CVE-2023-28731", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:43:23.737Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28731", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-11T20:10:51.852642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T20:10:27.463Z"}}], "cna": {"title": "Unauthenticated RCE affecting the AcyMailing plugin for Joomla", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rapha\u00ebl Arrouas (Xel)"}, {"lang": "en", "type": "coordinator", "user": "00000000-0000-4000-9000-000000000000", "value": "Bug Bounty Switzerland"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AcyMailing", "product": "Newsletter Plugin for Joomla in the Enterprise version", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.0", "versionType": "git"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-02-01T11:00:00.000Z", "value": "Reported"}, {"lang": "en", "time": "2023-03-09T11:00:00.000Z", "value": "Initial vendor notification "}, {"lang": "en", "time": "2023-03-10T11:00:00.000Z", "value": "Initial vendor response "}, {"lang": "en", "time": "2023-03-20T11:00:00.000Z", "value": "Releasion of fixed version"}, {"lang": "en", "time": "2023-03-30T10:00:00.000Z", "value": "Coordinated public disclosure "}], "solutions": [{"lang": "en", "value": "update to a fixed version (>= 8.3.0)\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>update to a fixed version (>= 8.3.0)</p>", "base64": false}]}], "datePublic": "2023-03-30T10:00:00.000Z", "references": [{"url": "https://www.acymailing.com/change-log/"}, {"url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"}], "workarounds": [{"lang": "en", "value": "Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed</p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<div><p>AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. </p></div><div><p>This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0. </p></div><div></div><div><div></div></div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2023-03-30T11:25:36.854Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28731", "state": "PUBLISHED", "dateUpdated": "2025-02-11T20:11:00.208Z", "dateReserved": "2023-03-22T09:53:07.889Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2023-03-30T11:25:36.854Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acymailing:acymailing:*:*:*:*:*:joomla\\!:*:*", "matchCriteriaId": "42A293DB-98EF-464D-BF05-6E47C6EED94C", "versionEndExcluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AnyMailing Joomla Plugin is vulnerable to\u00a0unauthenticated remote code execution,\u00a0when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. \n\n\n\nThis issue affects AnyMailing Joomla Plugin\u00a0Enterprise in versions below 8.3.0. \n\n\n\n\n\n\n\n\n\n\n"}], "id": "CVE-2023-28731", "lastModified": "2024-11-21T07:55:53.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vulnerability@ncsc.ch", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-30T12:15:07.573", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Release Notes"], "url": "https://www.acymailing.com/change-log/"}, {"source": "vulnerability@ncsc.ch", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.acymailing.com/change-log/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.bugbounty.ch/advisories/CVE-2023-28731"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-434"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}