Impact
The iCagenda extension for Joomla contains a flaw that allows an attacker to upload arbitrary files via the file attachment feature, ultimately leading to PHP code upload and execution. This vulnerability is classified as CWE-434.
Affected Systems
The affected product is the iCagenda extension for Joomla, provided by icagenda.com. Versions older than Joomla 4.0.8 or 3.9.15 are vulnerable. No further version details are supplied by the CNA.
Risk and Exploitability
The CVSS score of 10 indicates the highest severity. EPSS score of <1% indicates a very low but non-zero exploitation probability. The vulnerability can be fully exploited via the web interface's file attachment upload. The vulnerability is not listed in CISA KEV, and because it enables PHP code execution, it poses a significant threat.
OpenCVE Enrichment