Joomla Patches Critical SQL Injection and File Read Vulnerabilities CVE-2023-23752
Key Takeaways Critical vulnerabilities in the Novarain/Tassos Framework affect numerous Joomla extensions. These flaws enable unauthenticated SQL injection, arbitrary file reading, and file deletion....
Key Takeaways
- Critical vulnerabilities in the Novarain/Tassos Framework affect numerous Joomla extensions.
- These flaws enable unauthenticated SQL injection, arbitrary file reading, and file deletion.
- Successful exploitation could lead to remote code execution and full administrator control over affected websites.
- Patches are available and administrators are urged to update immediately.
A series of critical security vulnerabilities within the Novarain/Tassos Framework, widely utilized by various Joomla extensions, expose websites to severe risks including unauthenticated file reading, file deletion, and SQL injection. If left unpatched, these flaws present a direct path to remote code execution (RCE) and complete administrative compromise of affected Joomla installations.
Table Of Content
An in-depth analysis of the shared Novarain/Tassos Framework plugin, identified as plg_system_nrframework, revealed three fundamental security primitives. These were exposed due to insufficient validation within an AJAX handler responsible for processing the task=include action.
Exploitation Chain and Impact
Attackers can leverage this entry point to invoke specific PHP classes located within the Joomla site’s root directory that implement an onAjax method. This effectively transforms internal helper classes into remotely accessible “gadgets” that can be manipulated.
One such gadget involves a class that improperly handles CSV loading. This flaw can be coerced into reading arbitrary files accessible to the webserver user, potentially exposing sensitive configuration or user data.
Another vulnerable class exposes a “remove” action, allowing the deletion of attacker-specified file paths without adequate validation. This could lead to denial-of-service or pave the way for further system compromise.
A third critical flaw lies within a class designed for dynamic field population. This class passes attacker-controlled parameters directly into database queries, creating an SQL injection primitive. This vulnerability allows for the reading of arbitrary tables and columns under the Joomla database account, including sensitive administrator session data.
By chaining these capabilities, an external attacker can steal administrator session information from the database, gain access to the backend, and then deploy malicious extensions or modify templates to achieve persistent remote code execution, culminating in a full site takeover.
Affected Components and Impact
The vulnerable Novarain/Tassos Framework is integrated into several popular Joomla extensions, meaning many websites inherit this risk indirectly. These include Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack.
| Component / Extension | Affected versions |
|---|---|
| Novarain/Tassos Framework (plg_system_nrframework) | v4.10.14 – v6.0.37 |
| Convert Forms | v3.2.12 – v5.1.0 |
| EngageBox | v6.0.0 – v7.1.0 |
| Google Structured Data | v5.1.7 – v6.1.0 |
| Advanced Custom Fields | v2.2.0 – v3.1.0 |
| Smile Pack | v1.0.0 – v2.1.0 |
The impact extends to various versions of the Novarain/Tassos Framework (plg_system_nrframework) and specific releases of each listed extension. Exploitation remains possible as long as the system plugin is enabled on any internet-facing Joomla site.
Given that the attack vector relies solely on unauthenticated AJAX requests, conventional hardening measures such as restricting administrative access or adding extra passwords are insufficient to prevent compromise. Once an attacker can read or delete files and query the database, plugin-level secrets offer no additional defense.
The vendor has responded by releasing updated builds of the Tassos Framework and all affected extensions. These patches are available through the official download sections and standard Joomla update mechanisms. The vulnerabilities were independently discovered by security researcher p1r0x in collaboration with SSD Secure Disclosure.
What You Should Do
- Update Immediately: Administrators must promptly update all Novarain/Tassos components and affected extensions to their latest patched versions.
- Disable Temporarily: If immediate patching is not feasible, temporarily disable the
plg_system_nrframeworkplugin and any related extensions on exposed sites. - Filter Traffic: Implement defense-in-depth by restricting or filtering
com_ajaxtraffic at the web server or Web Application Firewall (WAF) level. - Monitor Logs: Regularly review web server and application logs for suspicious
task=includerequests, unusual CSV-related AJAX activity, or unexplained file deletions, which could indicate attempted exploitation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.