edit-icon download-icon

[Vulnerability notice] CVE-2017-8917: SQL injection vulnerability in Joomla! 3.7.0 Core

Last Updated: Apr 08, 2018

On May 17, 2017, researchers detected an SQL injection vulnerability in the Joomla! 3.7.0 Core version of the open-source CMS software WordPress, which is highly risky and may cause data leakage.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-8917

Vulnerability name

Joomla! 3.7.0 Core SQL injection vulnerability

Vulnerability rating

High

Vulnerability description

Joomla! 3.7.0 has a new component, com_fields. Any user can directly access the component without logon, which results in SQL injection due to loose filtering of requested data. SQL injection leads to sensitive information leakage in the database, such as the user’s password hash and the logon user’s session. An attacker who obtains the logon administrator’s session can take control of the backend system of the entire website.

Condition and method of exploitation

Remote exploitation

Affected scope

Joomla! 3.7.0 Core

How to fix or mitigate

We recommend that you install the latest official patch immediately, which is available at https://downloads.joomla.org/cms/joomla3/3-7-1.

Reference

[1]. https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
[2]. https://www.joomla.org/announcements/release-news/5705-joomla-3-7-1-release.html

Thank you! We've received your feedback.