CVE-2025-22213

State: PUBLISHED · Published: 2025-03-11 · Updated: 2025-03-11 · Assigner: Joomla

Description

Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.

CWE

CWE-434 — CWE-434 Unrestricted Upload of File with Dangerous Type

Affected

Joomla! Project / Joomla! CMS — v=4.0.0-4.4.11 [affected]; v=5.0.0-5.2.4 [affected]

CVSS

4.0 score=7.1 severity=HIGH CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/AU:N

References

https://developer.joomla.org/security-centre/961-20250301-core-malicious-file-uploads-via-media-managere-malicious-file-uploads-via-media-manager.html vendor-advisory

Source

cvelistV5-main/cves/2025/22xxx/CVE-2025-22213.json