-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2018-17856 explicitly references improper access control in com_joomlaupdate. Joomla's component architecture uses controllers to handle user actions. The startupdate method in the JoomlaupdateControllerUpdate class is responsible for initiating updates, which involves executing code to apply patches. In vulnerable versions, the controller lacked proper authorization checks (e.g., requiring core.admin privileges), allowing lower-privileged Administrators to trigger the update process. The patch in version 3.8.13 likely enforced stricter ACL checks (e.g., core.admin) in this controller method, aligning with the advisory's description of 'inadequate default access levels'.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| joomla/framework | composer | >= 2.5.4, <= 3.8.12 | 3.8.13 |