CVE-2015-7341
Description
JNews Joomla Component before 8.5.0 allows arbitrary File Upload via Subscribers or Templates, as demonstrated by the .php5 extension.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- JNews/JNews Joomla Componentdescription
Patches
Vulnerability mechanics
Root cause
"The component fails to properly validate uploaded file types, allowing arbitrary file uploads."
Attack vector
An attacker with low privileges can upload a malicious PHP file by exploiting the Subscribers or Templates functionality within the JNews Joomla Component. For the Subscribers feature, the attacker can directly upload a .php5 file, which is saved with an "upload" prefix to the media directory. For the Templates feature, the attacker can create a zip archive containing a malicious PHP file and an index.html file, which is then uploaded and can be executed from the templates directory [ref_id=1].
Affected code
The vulnerability exists in the Subscribers and Templates sections of the JNews Joomla Component. Specifically, the file upload functionality in these areas does not adequately restrict file types, allowing for the upload of executable files like PHP scripts [ref_id=1].
What the fix does
The advisory does not provide specific details about the patch. However, it indicates that JNews Joomla Component versions prior to 8.5.0 are affected. Users are advised to update to version 8.5.0 or later to remediate the vulnerability.
Preconditions
- authAttacker has low-privilege access to the JNews Joomla Component.
- inputAttacker crafts a malicious file (e.g., .php5) or a zip archive containing a malicious PHP file.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- labs.integrity.pt/advisories/cve-2015-7341/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.