CVE-2023-28731: Unauthenticated RCE affecting the AcyMailing plugin for Joomla
First published: Thu Mar 30 2023(Updated: )
AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.
Credit: vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Phlymail | <8.3.0 |
Remedy
update to a fixed version (>= 8.3.0)
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28731?
CVE-2023-28731 is a vulnerability in the AnyMailing Joomla Plugin that allows unauthenticated remote code execution.
How does CVE-2023-28731 affect AnyMailing Joomla Plugin?
CVE-2023-28731 affects AnyMailing Joomla Plugin Enterprise versions below 8.3.0.
Can an attacker execute arbitrary code remotely with CVE-2023-28731?
Yes, an attacker can execute arbitrary code remotely by exploiting the CVE-2023-28731 vulnerability in the AnyMailing Joomla Plugin.
What is the severity of CVE-2023-28731?
CVE-2023-28731 has a severity rating of 9.8 (critical).
How can I fix CVE-2023-28731?
To fix CVE-2023-28731, you should update AnyMailing Joomla Plugin Enterprise to version 8.3.0 or above.
- agent/weakness
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/author
- agent/source
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/acymailing
- canonical/phlymail