CVE-2024-40749

High

Published: 07 January 2025

Published

07 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 0.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40749 is a high-severity Improper Access Control (CWE-284) vulnerability in Joomla Joomla\!. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly preventing unauthorized read access to protected Joomla views due to improper ACL enforcement.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and corrects the specific flaw in Joomla core via timely patching, eliminating the improper access control vulnerability.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors systems for unauthorized information disclosure, enabling detection of exploitation resulting in confidentiality loss from protected views.

NVD Description

Improper Access Controls allows access to protected views.

Deeper analysisAI

CVE-2024-40749 is an improper access controls vulnerability (CWE-284) affecting the Joomla CMS core component. It enables unauthorized access to protected views across multiple core views. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation grants read access to sensitive data protected by access control lists, resulting in high confidentiality loss without impacting integrity or availability.

The official advisory from the Joomla Security Centre (https://developer.joomla.org/security-centre/956-20250103-core-read-acl-violation-in-multiple-core-views.html), published around January 3, 2025, provides details on the core read ACL violation and guidance for mitigation, including patches for affected Joomla versions. Security practitioners should review the advisory for version-specific remediation steps.

Details

CWE(s): CWE-284 NVD-CWE-Other

Affected Products

joomla

joomla\!

3.9.0 — 3.10.20 · 4.0.0 — 4.4.10 · 5.0.0 — 5.2.3

CVEs Like This One

CVE-2026-23899Same product: Joomla Joomla\!

CVE-2026-21629Same product: Joomla Joomla\!

CVE-2024-40748Same product: Joomla Joomla\!

CVE-2026-21630Same product: Joomla Joomla\!

CVE-2026-23898Same product: Joomla Joomla\!

CVE-2025-24411Same product class: CMS core

CVE-2024-55924Same product class: CMS core

CVE-2026-40488Same product class: CMS core

CVE-2025-24416Same product class: CMS core

CVE-2026-21289Same product class: CMS core

References

https://developer.joomla.org/security-centre/956-20250103-core-read-acl-violation-in-multiple-core-views.html
Vendor Advisory · security@joomla.org