Cyber security company Paladion has discovered vulnerabilities in extensions for the content management system Joomla.
Joomla, an open source software, has two million users and contributors. Its popularity has also prompted other coders and companies to produce more than 8,000 extensions to offer additional handy features. Use of some of these extensions exposed users to security risks and attacks.
Paladion found instances of data not being validated when being exported from Joomla extensions to a CSV file format.
“This vulnerability made it possible for an attacker to spread malware via spreadsheets such as Microsoft Excel and LibreOffice Calc. Unauthorized remote machine access was also possible,” Paladion security expert Suresh Narvaneni, said.
Suresh Narvaneni identified the issue in specific Joomla extensions from Acyba and notified Joomla immediately. In addition, a missing validation on a URL field when creating a new company record and a vulnerability to cross-site-scripting (XSS) were found in the JS Jobs extension from Joom Sky.
Joomla contacted the developers for the extensions concerned, with issues being fixed within one day. Joomla also published a note on the vulnerability at https://vel.joomla.org/articles/2140-introducing-csv-injection. The note related how special characters in exported data could be interpreted as formulae (CSV formula injection) or as commands to open programs such as Windows Power Shell.
Extension developer Acyba released a patch to protect exports of data destined for Excel using the information from Paladion.
Extension developer Joom Sky released a patch for JS Jobs.
Paladion recommends users take these actions for the following Joomla extensions
for AcySMS, update this extension to version 3.5.1 or later
for AcyMailing, update this extension to version 5.9.6 or later
for JS Jobs, update this extension to version 1.2.1.