Joomla! Webservice Endpoints Improper Access Control Vulnerability (CVE-2023-23752)

A high-severity improper access control vulnerability has been discovered in various Joomla! CMS instances. Tracked as CVE-2023-23752, the vulnerability may allow an attacker to get unauthorized access to webservice endpoints and access sensitive information of the target application. 

On January 8, 2024, CISA added the CVE-2023-27524 to the Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the flaw before Jan 29, 2024.
Joomla! is a free, open-source Content management system (CMS) that publishes a website’s web content. A web-based CMS enables users with varying access permissions to manage content, data, or information for a website project or intranet application. 

Vulnerability Analysis

api/index.php route contains a flaw that leads to improper access control. The input member of the $app that exists in the app.php file stores all HTTP request parameters.

In the execute() function, the sanityCheckSystemVariables function filters the parameters of rendering templates, providing XSS vulnerability prevention. setupLogging and createExtensionNameSpaceMap perform additional logging for the system.

doExecute is the routing logic function. The most important thing in doExecute is the route and dispatch functions.

 The route function is divided into two parts: 

  1. Route selection 
  2. Identity verification

Route Selection

To find the corresponding routing information directly from the requested method and url to $routers, the parseApiRoute function is used.

Identity Verification

The vars and public parameters control whether the authentication is performed or not. The public parameter determines whether the API is accessible to the outside world. By default, it is set to false and does not open to the outside world.

An attacker can use the user request url to override the variables in route.var by the requested variables. This will change the public parameter to true. Once the parameter is true, it does not require authentication and directly reaches the routing distribution.

The broken API /api/index.php/v1/config/application?public=true can be used to obtain the most critical configuration information of the website, including the account number and password of the database.

Affected Versions

 Joomla! versions 4.0.0 to 4.2.7 are affected by this vulnerability. 


To patch this vulnerability, customers are recommended to upgrade to the latest Joomla! version 4.2.8. For more information, please refer to the Joomla! Security Advisory. 

Qualys Detection

Qualys customers can scan their devices with QID 730735 to detect vulnerable assets.  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  

Leave a Reply

Your email address will not be published. Required fields are marked *