CVE-2023-23752

What is Joomla!?

Joomla! is one of the world's most widely deployed open-source content management systems (CMS), powering millions of websites including government portals, educational institutions, NGOs, and commercial sites globally. Joomla! 4.x introduced a REST API (webservice API) that allows programmatic access to Joomla! content, user data, and configuration via HTTP. The webservice API endpoints expose structured JSON data for categories, articles, users, and application configuration — including sensitive information like database connection credentials stored in the application's configuration.php file. Improper access control on these API endpoints allows unauthenticated callers to retrieve sensitive configuration data.

Overview

CVE-2023-23752 is an improper access control vulnerability (CWE-863) in Joomla! 4.0.0 through 4.2.7 that allows unauthenticated remote access to webservice API endpoints, exposing Joomla! configuration data. Critically, certain API endpoints return application configuration information including database hostname, database name, database username, and database password — effectively providing the database credentials for the Joomla! installation to any unauthenticated caller. Joomla! patched the vulnerability in version 4.2.8, released February 16, 2023. CISA added CVE-2023-23752 to the KEV catalog on January 8, 2024 — nearly 11 months after patching, confirming that threat actors were actively exploiting unpatched installations.

Affected Versions

Note: Joomla! 3.x and Joomla! 5.x are not affected — CVE-2023-23752 is specific to the Joomla! 4.x webservice API introduced in version 4.0.0.

Technical Details

The improper access control (CWE-863) in Joomla!'s webservice API occurs because certain API endpoint routes fail to enforce authentication requirements. Joomla! 4.x's REST API uses an option and view routing system, and the access control check for some endpoints — particularly those returning application configuration data — can be bypassed via a crafted HTTP request.

The exploitation technique is straightforward:

1. Send an unauthenticated GET request to a Joomla! webservice API endpoint (e.g., /api/index.php/v1/config/application?public=true or variations using HTTP Content-Type header manipulation)
2. Receive configuration data — the API returns a JSON response including the Joomla! configuration object, which contains database connection parameters: DB host, DB name, DB username, and DB password in plaintext
3. Use the database credentials — with the database credentials, an attacker can connect directly to the MySQL/MariaDB database if it is network-accessible, or use the credentials for further exploitation (e.g., modifying Joomla! user records in the database to create administrative accounts)

The C:L (low confidentiality) CVSS score may understate the practical impact — while the API returns a limited set of configuration fields, the database credentials within that set represent a high-value secret whose disclosure can lead to full site compromise.

Discovery

CVE-2023-23752 was reported to Joomla!'s security team and patched in 4.2.8 on February 16, 2023. Proof-of-concept exploit code quickly became publicly available after disclosure, leading to widespread automated scanning and exploitation of unpatched Joomla! 4.x installations. The nearly 11-month gap to KEV addition reflects ongoing exploitation of the large installed base of unpatched Joomla! 4.x sites throughout 2023.

Exploitation Context

Joomla! installations are attractive CMS targets because:

• Millions of sites run Joomla!, providing a large attack surface for automated exploitation
• Database credentials obtained via CVE-2023-23752 provide access to all stored content, user accounts, and session data
• Attackers with database access can create backdoor administrator accounts, inject malicious content, or access sensitive stored data (PII, credentials)
• Government, NGO, and educational Joomla! deployments contain sensitive organizational data

Threat actors including cryptomining operators, web skimming groups (Magecart), and SEO spam operators were among those exploiting CVE-2023-23752 to compromise Joomla! 4.x sites throughout 2023.

Remediation

1. Upgrade to Joomla! 4.2.8 or later — the fix was released February 16, 2023; any site still running 4.0.0–4.2.7 is vulnerable.
2. Rotate database credentials — if the site was running a vulnerable Joomla! version with the API accessible, assume the database credentials were disclosed; rotate them in both the database server and the Joomla! configuration.
3. Restrict database network access — the MySQL/MariaDB database should not be accessible from the internet; restrict it to localhost or trusted application server IPs, limiting the blast radius of credential disclosure.
4. Review Joomla! administrator accounts — inspect the administrator user table for unauthorized accounts added by attackers who obtained database credentials via this vulnerability.
5. Disable the Joomla! API if unused — if your Joomla! site does not use the REST API, disable it under System → Web Services.
6. Apply a web application firewall (WAF) — WAF rules blocking unauthenticated access to the Joomla! API paths provide a compensating control for sites that cannot immediately upgrade.