Last week a report began surfacing regarding a flaw in older versions of Joomla’s content management systems (CMS). Italian researcher Alessandro Groppo is credited for discovering the bug and he proclaims that it affects versions 3.0.0 through 3.4.6, released between September of 2012 and December of 2015. The proof-of-concept has been posted online and the vulnerability is rather easy to exploit. The bug is a PHP object injection which can lead to Remote Code Execution (RCE) depending on the situation. It is being compared to another common Joomla exploit, CVE-2015 8562, which is also a PHP object injection, but the two are not related. CVE-2015-8562 only operated against PHP servers before 5.4.45, 5.5.29, and 5.6.13 while the newly-discovered vulnerability is separate from the server environment, meaning even though it affects a smaller number of sites, it would have a broader impact. However, developers seem to have dealt with both issues when they released a patch for CVE-2015-8562.
It is common for owners of websites to use older CMS version to combat plugin and theme issues, but they don’t need to update to the newest version to continue operating safely, even though it would be a better option. The current version of Joomla is 3.9.12 but updating to version 3.4.7 or later would be enough to prevent attacks.