CVE-2019-12765
📋 TL;DR
This CSV injection vulnerability in Joomla! allows attackers to inject malicious formulas into exported CSV files from the action logs component. When victims open these CSV files in spreadsheet applications like Excel, the formulas can execute arbitrary commands or access external resources. All Joomla! sites before version 3.9.7 with the action logs component enabled are affected.
💻 Affected Systems
- Joomla!
📦 What is this software?
Joomla\! by Joomla
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary commands on victims' systems when they open malicious CSV files, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Attackers trick administrators into downloading and opening malicious CSV exports, leading to local command execution, data exfiltration, or malware installation on the administrator's workstation.
If Mitigated
With proper user awareness training and spreadsheet security settings, the impact is limited to potential data manipulation within the spreadsheet application.
🎯 Exploit Status
Exploitation requires authenticated access to the action logs component. CSV injection techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.7 and later
Vendor Advisory: https://developer.joomla.org/security-centre/783-20190601-core-csv-injection-in-com-actionlogs
Restart Required: No
Instructions:
1. Backup your Joomla! site and database. 2. Update Joomla! to version 3.9.7 or later via the Joomla! Update component. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Action Logs Component
allTemporarily disable the vulnerable com_actionslogs component to prevent CSV export functionality.
Navigate to Extensions > Manage > Manage in Joomla! admin, search for 'Action Logs', and disable the component.
Restrict Access to Action Logs
allLimit access to the action logs component to trusted administrators only using Joomla!'s access control system.
Navigate to Users > Access Levels in Joomla! admin and restrict 'Action Logs' component access to specific user groups.
🧯 If You Can't Patch
- Implement strict user awareness training about opening CSV files from untrusted sources in spreadsheet applications.
- Configure spreadsheet applications to disable automatic formula execution when opening CSV files.
🔍 How to Verify
Check if Vulnerable:
Check Joomla! version in System > System Information. If version is below 3.9.7, the site is vulnerable.Check Version:
Check Joomla! admin panel or view the CHANGELOG.php file in the Joomla! root directory.Verify Fix Applied:
After updating, verify the version shows 3.9.7 or higher in System > System Information.📡 Detection & Monitoring
Log Indicators:
- Unusual CSV export activity from com_actionslogs, especially with suspicious payloads in exported data.
Network Indicators:
- Outbound connections from administrator workstations to unexpected external domains after opening CSV files.
SIEM Query:
source="joomla_logs" AND (event="csv_export" OR component="com_actionslogs") AND data CONTAINS "=", "+", "-", "@"