CVE-2022-23799: [20220307] - Core - Variable Tampering on JInput $_REQUEST data
First published: Tue Mar 29 2022(Updated: )
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
Credit: security@joomla.org security@joomla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/joomla/input | >=2.0.0<2.0.2 | |
| Joomla Joomla\! | >=4.0.0<=4.1.0 | |
| composer/joomla/input | >=2.0.0<2.0.2 | 2.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23799
- https://github.com/joomla/joomla-cms/issues/35541
- https://github.com/joomla-framework/input/commit/2086df5860a2edccd77c329ee7cbd118cfe93514
- https://github.com/FriendsOfPHP/security-advisories/blob/master/joomla/input/CVE-2022-23799.yaml
- https://github.com/advisories/GHSA-49fj-qp6p-q544 (Advisory)
Frequently Asked Questions
What is CVE-2022-23799?
CVE-2022-23799 is a vulnerability related to variable tampering in the joomla/input class.
How does variable tampering occur within the joomla/input class?
Variable tampering within the joomla/input class occurs when an attacker is able to manipulate or modify values of variables used within the class.
What is the severity of CVE-2022-23799?
The severity of CVE-2022-23799 is not specified in the provided information.
How can I check if my software is affected by CVE-2022-23799?
If your software uses the joomla/input class version 2.0.0 up to 2.0.2, it may be affected by CVE-2022-23799. Please check your software's dependencies carefully.
How can I fix CVE-2022-23799?
To fix CVE-2022-23799, upgrade to a version of the joomla/input package that is beyond the vulnerable range (2.0.2 or higher).
- collector/friends-of-php
- collector/nvd-index
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-49fj-qp6p-q544
- alias/CVE-2022-23799
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/tags
- package-manager/composer
- vendor/joomla
- canonical/joomla joomla\!
- version/joomla joomla\!/4.0.0
- version/joomla joomla\!/4.1.0