com_media allowed paths that are not intended for image uploads to RCE.
Directory traversal in com_media to RCE
Two CVEs are the same.
Affected version: Joomla core <=3.9.24
User requirement: Admin account (Not Superadmin)
Gain access: Create superadmin, then trigger RCE.
Remote Code Execution (RCE) in Joomla
cve-2021-23132.py with your credentials and access link rce:
python3 cve-2021-23132.py -url http://192.168.72.140 -u admin -p 1234 -rce 1 -cmd ls
I wrote PoC to be able to use
Directory Traversal or RCE mode.
Directory Traversal to trigger RCE.
You can use
python3 cve-2021-23132.py -h to how to use PoC.
Note: Make sure you used python3 and install
pip3 install lxml
Please use your research and help Joomla more secure.