#VU12983 Information disclosure in Joomla! - CVE-2018-11325

Cybersecurity Help s.r.o.

Published: 2018-05-23

Vulnerability identifier: #VU12983

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-11325

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Joomla!
Web applications / CMS

Vendor: Joomla!

Description

The vulnerability allows a local user to gain access to administrator's password.

The vulnerability exists due to the web install application automatically fills-in password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen.

Mitigation
Update to version 3.8.8.

Vulnerable software versions

Joomla!: 3.0.0 - 3.0.4, 3.1.0 - 3.1.6, 3.2.0 - 3.2.7, 3.3.0 - 3.3.6, 3.4.0 - 3.4.8, 3.5.0 - 3.5.9, 3.6.0 - 3.6.5, 3.7.0 - 3.7.5, 3.8.0 - 3.8.7

External links
https://developer.joomla.org/security-centre.html

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Joomla!