CVE-2013-5576

Published: Oct 9, 2013Modified: Apr 29, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.

Affected (24)

Products: Joomla: Joomla!

1 product

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Joomla Joomla!	Version 2.5.0
Joomla Joomla!	Version 2.5.10
Joomla Joomla!	Version 2.5.11
Joomla Joomla!	Version 2.5.12
Joomla Joomla!	Version 2.5.13
Joomla Joomla!	Version 2.5.1
Joomla Joomla!	Version 2.5.2
Joomla Joomla!	Version 2.5.3
Joomla Joomla!	Version 2.5.4
Joomla Joomla!	Version 2.5.5
Joomla Joomla!	Version 2.5.6
Joomla Joomla!	Version 2.5.7
Joomla Joomla!	Version 2.5.8
Joomla Joomla!	Version 2.5.9

Configuration B

10 vulnerable

Vulnerable Software	Affected Versions
Joomla Joomla!	Version 3.0.0
Joomla Joomla!	Version 3.0.1
Joomla Joomla!	Version 3.0.2
Joomla Joomla!	Version 3.0.3
Joomla Joomla!	Version 3.0.4
Joomla Joomla!	Version 3.1.0
Joomla Joomla!	Version 3.1.1
Joomla Joomla!	Version 3.1.2
Joomla Joomla!	Version 3.1.3
Joomla Joomla!	Version 3.1.4

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (18)

http://developer.joomla.org/security/563-20130801-core-unauthorised-uploads.html

Source: cve@mitre.org

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626

Source: cve@mitre.org

http://seclists.org/oss-sec/2013/q3/484

Source: cve@mitre.org

http://seclists.org/oss-sec/2013/q3/486

Source: cve@mitre.org

http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/

Source: cve@mitre.org

http://www.exploit-db.com/exploits/27610

Source: cve@mitre.org

Exploit

http://www.kb.cert.org/vuls/id/639620

Source: cve@mitre.org

US Government Resource

https://github.com/joomla/joomla-cms/commit/1ed07e257a2c0794ba19e864f7c5101e7e8c41d2

Source: cve@mitre.org

https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8

Source: cve@mitre.org

ExploitPatch

http://developer.joomla.org/security/563-20130801-core-unauthorised-uploads.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2013/q3/484

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2013/q3/486

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.exploit-db.com/exploits/27610

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.kb.cert.org/vuls/id/639620

Source: af854a3a-2127-422b-91ae-364da2661108

US Government Resource

https://github.com/joomla/joomla-cms/commit/1ed07e257a2c0794ba19e864f7c5101e7e8c41d2

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

Timeline

No history available yet.