Friday, August 14

My Journey to find out Joomla’s CVE(Part 2)

Analysis of CVE-2020-10239


  • A user with Manager group
  • Joomla core from 3.7.0 to 3.9.15


A user with Manager group quick acesses:


Select New , at Type field as below picture and result :

Fill in anything and result after  selecting Save button:

Error: Only a Super User can create an SQL field!

Scenario: Create a new field with allowed fields as text. After, intercept this request and change to sql field. Expected result: A new SQL field instead of text field.

Create a new field with allowed fields as text as below picture:

And Save button.

Save again, intercept this request and change as above scenario:

From request, having  jform%5Btype%5D=text parameter, change to jform%5Btype%5D=sql

Forward and result:

Scroll to add a new SQL query:

SQL query:

UPDATE #__user_usergroup_map SET group_id = 8 WHERE user_id=76 AND group_id=6

Table user_usergroup_map will assign a user with a group user. 8 is Super User group.

76 is the user’s id. 

Some ideas about trigger RCE.

  • Get Super User‘s session: Only trigger RCE when having Super User‘s session
  • SQL query to RCE:  Only trigger RCE when it was dba.
  • I have chosen by changing me to Super User then trigger RCE: Independence


After saving, How to trigger it?

Go to New a Article, it will trigger:


Now, you are Super User then trigger RCE as:

Root cause:

Error code in:


At onContentBeforeSave  function checks wrong condition. isNew parameter to check it whether new or not. But, as the above scenario, Joomla hasn’t checked for updating a field in com_field. 

To fix it, Joomla has removed isNew parameter as above picture.


CVE -2020 -10239 allows RCE


Update to 3.9.16 or latest

Exploit automatically:




Leave a Reply

Your email address will not be published. Required fields are marked *