Cyber Resilience

CVE-2023-23752

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 16 February 2023

Published
16 February 2023
Modified
24 October 2025
KEV Added
08 January 2024
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.9452 100.0th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-23752 is a medium-severity Improper Access Control (CWE-284) vulnerability in Joomla Joomla\!. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2023-23752 is an improper access control vulnerability affecting the webservice endpoints in Joomla versions 4.0.0 through 4.2.7. The flaw stems from insufficient authorization checks on these endpoints, which are exposed over the network and require no authentication to reach.

An unauthenticated attacker with network access can exploit the issue to reach webservice endpoints that should otherwise be restricted, resulting in limited disclosure of information without the ability to modify data or disrupt availability.

Joomla's security advisory recommends applying the vendor-supplied updates that correct the access checks. The vulnerability is also tracked in CISA's catalog of known exploited vulnerabilities, indicating confirmed real-world use. The associated EPSS score has remained elevated, with a current value of 0.9452 and a recorded peak of 0.9631.

EU & UK References

Vulnerability details

An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

CWE(s)
KEV Date Added
08 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

joomla
joomla\!
4.0.0 — 4.2.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on webservice endpoints, preventing the exact unauthorized access described in the CVE.

prevent

Requires that only the minimum privileges needed to reach webservice endpoints are granted, limiting exposure when access checks are flawed.

AC-17 Remote Access partial match
prevent

Mandates explicit authorization and control of remote connections to application endpoints such as the affected webservices.

References