CVE-2023-28733 – The AnyMailing Joomla Plugin has a stored cross... (How to Fix)

Q: What is the severity of CVE-2023-28733?

CVE-2023-28733 has a CVSS score of 7.2 (HIGH). The AnyMailing Joomla Plugin has a stored cross-site scripting (XSS) vulnerability in templates and emails that allows attackers to inject malicious scripts. This affects front-office users with campaign creation access in Enterprise versions below 8.3.0, enabling script execution in victims' browsers.

📋 TL;DR

The AnyMailing Joomla Plugin has a stored cross-site scripting (XSS) vulnerability in templates and emails that allows attackers to inject malicious scripts. This affects front-office users with campaign creation access in Enterprise versions below 8.3.0, enabling script execution in victims' browsers.

💻 Affected Systems

Products:

AnyMailing Joomla Plugin Enterprise

Versions: Versions below 8.3.0

Operating Systems: Any OS running Joomla

Default Config Vulnerable: ⚠️ Yes

Notes: Requires front-office campaign creation access to exploit; affects Joomla installations with vulnerable plugin versions.

📦 What is this software?

Acymailing by Acymailing

View all CVEs affecting Acymailing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites through persistent script injection.

🟠

Likely Case

Attackers with front-office campaign creation access inject malicious scripts into templates/emails, compromising users who view them.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires front-office campaign creation privileges; stored XSS is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.0

Vendor Advisory: https://www.acymailing.com/change-log/

Restart Required: No

Instructions:

1. Log into Joomla admin panel. 2. Navigate to Extensions > Manage > Update. 3. Update AnyMailing plugin to version 8.3.0 or later. 4. Clear Joomla and browser caches.

🔧 Temporary Workarounds

Restrict Front-Office Campaign Creation

all

Limit campaign creation permissions to trusted administrators only.

Implement Content Security Policy (CSP)

all

Add CSP headers to restrict script execution sources.

Header set Content-Security-Policy "default-src 'self'; script-src 'self'" in .htaccess or server config

🧯 If You Can't Patch

Disable the AnyMailing plugin entirely if not essential.
Implement strict input validation and output encoding in custom templates.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Joomla admin under Extensions > Manage > Manage.

Check Version:

N/A for Joomla web interface; check via admin panel.

Verify Fix Applied:

Confirm plugin version is 8.3.0 or higher in Extensions > Manage > Manage.

📡 Detection & Monitoring

Log Indicators:

Unusual template/email modifications by front-office users
Script tags in campaign content logs

Network Indicators:

Unexpected script loads from campaign pages
Suspicious outbound connections from user browsers

SIEM Query:

search 'template_update' OR 'campaign_create' AND user_role='frontoffice'

📊 Metadata

CVE ID: CVE-2023-28733

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-20

Published: March 30, 2023

Last Updated: November 21, 2024

🔗 References

https://www.acymailing.com/change-log/ Release Notes
https://www.bugbounty.ch/advisories/CVE-2023-28733 Third Party Advisory
https://www.acymailing.com/change-log/ Release Notes
https://www.bugbounty.ch/advisories/CVE-2023-28733 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28733, you might also want to check these: