CVE-2018-14592

Vulnerability

The CW Joomla CW Article Attachments extension for Joomla! contains a SQL injection vulnerability in download.php. Both the PRO version (before 2.0.7) and the FREE version (before 1.0.6) are affected. The injection occurs because user-supplied input is not properly sanitized before being used in SQL queries within the download script [1].

Exploitation

An attacker must be able to send crafted HTTP requests to the download.php endpoint. No authentication is explicitly required, as the download script may be accessible to unauthenticated users. By manipulating input parameters (likely an ID or token) sent to download.php, the attacker can inject SQL commands that will be executed by the Joomla database backend [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the Joomla database. This can lead to unauthorized retrieval of sensitive data (e.g., user credentials, session tokens), modification or deletion of database content, and potentially further compromise of the Joomla site depending on the database user's privileges [1].

Mitigation

The vendor released fixed versions: PRO version 2.0.7 (with further security improvements in 2.1.2) and FREE version 1.0.6 (with further improvements in 1.0.7). Users are strongly advised to update to at least these respective versions. No workarounds are mentioned in the available references. The fix is available from the vendor's download portal for registered users [1].