New SQL Injection in Joomla! CMS Allows Attackers Full Administrative Privileges When Exploited

Category: News - Last Updated: Fri, 23 Oct 2015 - by Ferruh Mavituna

A few hours back Joomla! released version 3.4.5 of their CMS to address a critical unauthenticated SQL Injection vulnerability that was identified by Asaf Orpani, a security researcher of Trustwave.

The Joomla! SQL Injection Technical Details

The SQL injection can enable an attacker to gain full administrative access to a target website when combined with other security weaknesses in Joomla! CMS. The SQL injection was discovered in a core module of Joomla! CMS, therefore all websites running Joomla! CMS version 3.2.* to 3.4.4 are affected by this vulnerability.

The technical details of the SQL Injection vulnerability and several other variations of it can be found in:

  • CVE-2015-7297
  • CVE-2015-7857
  • CVE-2015-7858

Considering how easy it is to exploit this vulnerability, and the popularity of Joomla! CMS expect a widespread attack and thousands of Joomla! CMS websites to be hacked.

Netsparker Heuristically Detects The New SQL Injection in Joomla!

Both Netsparker Desktop and Netsparker Enterprise web application security scanners can already detect this new critical SQL injection in Joomla! CMS, therefore you do no need to update or wait for updates from us.

Netsparker web security scanner will heuristically identify the new SQL Injection in Joomla!

Netsparker scanners can heuristically identify this new SQL injection in Joomla! CMS, therefore they do not simply flag the vulnerability by checking the version of Joomla! CMS you are running on your website.


Keep up with the latest web security
content with weekly updates.