CVE-2021-26038 – This vulnerability in Joomla! allows authentica... (How to Fix)

Q: What is the severity of CVE-2021-26038?

CVE-2021-26038 has a CVSS score of 7.5 (HIGH). This vulnerability in Joomla! allows authenticated users with installer component access to install extensions without proper superuser authorization checks. It affects Joomla! installations where ACL permissions for com_installer have been modified from default settings. Default configurations are not vulnerable.

📋 TL;DR

This vulnerability in Joomla! allows authenticated users with installer component access to install extensions without proper superuser authorization checks. It affects Joomla! installations where ACL permissions for com_installer have been modified from default settings. Default configurations are not vulnerable.

💻 Affected Systems

Products:

Joomla!

Versions: 2.5.0 through 3.9.27

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if ACL permissions for com_installer have been modified from default superuser-only access.

📦 What is this software?

Joomla\! by Joomla

View all CVEs affecting Joomla\! →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker with installer access could install malicious extensions, leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Privileged users (not superusers) could install unauthorized extensions, potentially introducing security vulnerabilities or unwanted functionality.

🟢

If Mitigated

With default ACL settings, only superusers have installer access, preventing exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to com_installer component with non-default ACL settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.28

Vendor Advisory: https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html

Restart Required: No

Instructions:

1. Update Joomla! to version 3.9.28 or later. 2. For Joomla! 2.5.x and 3.x, upgrade to supported versions. 3. Apply the patch from the security advisory.

🔧 Temporary Workarounds

Restrict com_installer ACL

all

Ensure only superusers have access to the com_installer component in ACL settings.

🧯 If You Can't Patch

Review and restrict ACL permissions for com_installer to superusers only
Monitor extension installation logs and audit installed extensions regularly

🔍 How to Verify

Check if Vulnerable:

Check Joomla! version in administrator panel or via version.php file. If version is between 2.5.0 and 3.9.27, check ACL settings for com_installer.

Check Version:

Check Joomla! administrator panel or examine /libraries/cms/version/version.php file

Verify Fix Applied:

Verify Joomla! version is 3.9.28 or later, and confirm ACL settings for com_installer are properly configured.

📡 Detection & Monitoring

Log Indicators:

Unauthorized extension installation attempts in Joomla! logs
Unexpected extension installation events

Network Indicators:

Unusual outbound connections after extension installation

SIEM Query:

Search for 'com_installer' access by non-superuser accounts in Joomla! audit logs

📊 Metadata

CVE ID: CVE-2021-26038

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-754

Published: July 7, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26038, you might also want to check these: