Joomla is a very popular content management system used by developers around the world of the websites of their clients. Known for its versatility and ease of use, this CMS recently got hit by two vulnerabilities that have the potential to be chained together and used by hackers to compromise the system. In fact, the entire security of the network gets compromised if hackers take advantage of these dual flaws. If you are a Joomla developer, it is vitally important for you to be aware of these two vulnerabilities.
Security researchers have identified not one but two critical vulnerabilities in Joomla CM recently. The first of these vulnerabilities related to password reset mechanism while the other one is an XSS flaw. Researchers at Fortbridge discovered these vulnerabilities in February and March 2021 and submitted their report to Joomla developers cross the world.
There are nearly 1.5 million websites powered by Joomla on the web. What is disconcerting for any Joomla developer is the warning issued by Fortbridge researchers. They say that though the vulnerabilities seem to be different, it is possible for hackers to chain them together and attack on the network of the victim. Researchers found that by uploading a custom plug-in theme for this CMS, they got the capability to exercise code execution remotely. These researchers have acknowledged the fact that Joomla developers have released a patch to address both these vulnerabilities in May 2021. However, the researchers claim that the password reset vulnerability remains unaddressed till date.