Newly discovered vulnerabilities pose a serious threat to Joomla sites that use extensions with the Novarain/Tassos Framework. Through SSD Secure Disclosure, independent researcher p1r0x discovered vulnerabilities that permit unauthenticated file reads and SQL injection. On unpatched systems, attackers can leverage these vulnerabilities to remotely execute code and take over an administrator.

Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack are among the extensions that are impacted; they all depend on the plg_system_nrframework plugin, which was formerly known as Novarain Framework but is now known as Tassos Framework. The framework's inadequate AJAX handling is the root of the issues. Attackers can load arbitrary files or classes from the Joomla root and activate onAjax handlers thanks to a flaw in the "include" task. Three important attack primitives are revealed.

First, incorrect CSV processing bypasses file-type checks, allowing web users to access local files without authentication. Second, deleting defenses like.htpasswd files is made possible by a "remove" action that calls unlink() directly, enabling file deletions without authentication. Third, unsanitized parameters are used in database queries for item retrieval, which allows SQL injection to dump tables and columns according to the privileges of the database user.

SQL injection is the first step in chaining to steal credentials or data from an admin session. The attackers then upload malicious extensions, insert code into RCE templates, or authenticate as administrators. Deleting files causes the site to become unstable, which furthers chaos. Because extensions are updated through the vendor's Downloads section using a Download Key in the plugin, these vulnerabilities make Joomla instances that are visible to the internet prime targets.

Although no CVEs have been assigned as of yet, the problems necessitate immediate attention. Description of the CVE ID CVSS Score: N/A N/A Unauthenticated file deletion using unlink() in AJAX remove action Unauthenticated file reading via CSV processing circumvent N/A N/A N/A N/A SQL injection during the retrieval of database-backed items The following ranges are vulnerable: Google Structured Data v5.1.7 to v6.1.0; Advanced Custom Fields v2.2.0 to v3.1.0; Smile Pack v1.0.0 to v2.1.0; Novarain/Tassos Framework v4.10.14 to v6.0.37; Convert Forms v3.2.12 to v5.1.0; and EngageBox v6.0.0 to v7.1.0. Tassos has released patches; use Joomla's Extension Manager to update and download the most recent builds from their website.

Owners of the site should patch right away. Disable the nrframework plugin or the impacted extensions if patching takes too long. Block?option=com_ajax endpoints at the WAF or web server.

Keep an eye out for any unusual file changes or suspicious AJAX calls in the logs. This disclosure draws attention to persistent dangers associated with third-party Joomla extensions. Authors of frameworks must avoid direct filesystem calls, strictly validate inputs, and tighten AJAX endpoints.

Users of Joomla should prioritize auto-updates and conduct routine extensions audits. Make ZeroOwl your Google Preferred Source.