CVE-2019-7743: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

May 13, 2022 (updated September 28, 2023)

An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.

References

developer.joomla.org/security-centre/770-20190206-core-implement-the-typo3-phar-stream-wrapper
github.com/advisories/GHSA-5m3w-rvvh-8fx6
github.com/joomla/joomla-cms/issues/23907
nvd.nist.gov/vuln/detail/CVE-2019-7743
web.archive.org/web/20210730211655/https://www.securityfocus.com/bid/107050

Code Behaviors & Features

Detect and mitigate CVE-2019-7743 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →