CVE-2023-28732 MEDIUM

CVE-2023-28732: Missing access control affecting the AcyMailing plugin for Joomla

Vendor Acymailing
Product Newsletter Plugin for Joomla
Weakness CWE-20 · Input validation
Published March 30, 2023
Last update February 11, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

Key dates

02Disclosure timeline

March 30, 2023 CVE published
February 11, 2025 Record updated