CVE-2024-40749
Published: 07 January 2025
Summary
CVE-2024-40749 is a high-severity Improper Access Control (CWE-284) vulnerability in Joomla Joomla\!. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-40749 is an improper access controls vulnerability (CWE-284) affecting the Joomla CMS core component. It enables unauthorized access to protected views across multiple core views. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation grants read access to sensitive data protected by access control lists, resulting in high confidentiality loss without impacting integrity or availability.
The official advisory from the Joomla Security Centre (https://developer.joomla.org/security-centre/956-20250103-core-read-acl-violation-in-multiple-core-views.html), published around January 3, 2025, provides details on the core read ACL violation and guidance for mitigation, including patches for affected Joomla versions. Security practitioners should review the advisory for version-specific remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38818
Vulnerability details
Improper Access Controls allows access to protected views.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated network exploitation of public-facing Joomla CMS for unauthorized sensitive data read via ACL bypass.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access, directly preventing unauthorized read access to protected Joomla views due to improper ACL enforcement.
Identifies, reports, and corrects the specific flaw in Joomla core via timely patching, eliminating the improper access control vulnerability.
Monitors systems for unauthorized information disclosure, enabling detection of exploitation resulting in confidentiality loss from protected views.