CVE-2019-25740

Vulnerability

Joomla component com_jsjobs version 1.2.6 contains an arbitrary file deletion vulnerability. This vulnerability allows authenticated attackers to delete files on the server by manipulating custom userfield parameters, specifically the field_2 parameter within the job.savejob task. [2]

Exploitation

An authenticated attacker can exploit this vulnerability by sending a crafted POST request to the job.savejob task. The request must include path traversal sequences, such as ../../, within the field_2 parameter. This manipulation allows the attacker to target and delete arbitrary files that the web server process has permissions to remove. [2]

Impact

Successful exploitation of this vulnerability allows an attacker to delete arbitrary files accessible to the web server. This can lead to denial-of-service conditions or the removal of critical system files, potentially impacting the integrity and availability of the Joomla installation. [2]

Mitigation

The vulnerability affects JS Jobs <= 1.2.6. A fixed version is not explicitly disclosed in the available references. Users are advised to check for updates from the component vendor or consider alternative solutions if a patch is not available. [1, 2]