CVE-2024-5737 – This vulnerability in the AdmirorFrames Joomla!... (How to Fix)

Q: What is the severity of CVE-2024-5737?

CVE-2024-5737 has a CVSS score of 6.1 (MEDIUM). This vulnerability in the AdmirorFrames Joomla! extension allows cross-site scripting (XSS) attacks. An attacker can embed malicious HTML in image data that gets rendered as HTML by vulnerable webpages. This affects Joomla! sites using AdmirorFrames extension versions before 5.0.

📋 TL;DR

This vulnerability in the AdmirorFrames Joomla! extension allows cross-site scripting (XSS) attacks. An attacker can embed malicious HTML in image data that gets rendered as HTML by vulnerable webpages. This affects Joomla! sites using AdmirorFrames extension versions before 5.0.

💻 Affected Systems

Products:

AdmirorFrames Joomla! extension

Versions: All versions before 5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Joomla! installations with AdmirorFrames extension installed and enabled.

📦 What is this software?

Admirorframes by Admiror Design Studio

View all CVEs affecting Admirorframes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal user session data or credentials, potentially compromising user accounts on the affected Joomla! site.

🟢

If Mitigated

With proper content security policies and input validation, impact is limited to potential data leakage from the specific vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to upload or inject malicious image data that gets processed by the vulnerable afGdStream.php script.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0 and later

Vendor Advisory: https://github.com/vasiljevski/admirorframes/issues/3

Restart Required: No

Instructions:

1. Update AdmirorFrames extension to version 5.0 or later. 2. Log into Joomla! admin panel. 3. Navigate to Extensions > Manage > Update. 4. Check for AdmirorFrames updates. 5. Apply update if available. 6. Alternatively, download latest version from extension repository and install manually.

🔧 Temporary Workarounds

Disable AdmirorFrames extension

all

Temporarily disable the vulnerable extension until patching is possible

Navigate to Joomla! admin > Extensions > Manage > Manage > Disable AdmirorFrames

Restrict access to afGdStream.php

linux

Block direct access to the vulnerable script via web server configuration

# Apache: <LocationMatch "afGdStream\.php">
    Order deny,allow
    Deny from all
</LocationMatch>
# Nginx: location ~* afGdStream\.php { deny all; }

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
Deploy web application firewall (WAF) rules to detect and block XSS payloads targeting the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check Joomla! admin panel > Extensions > Manage > Manage, look for AdmirorFrames version. If version is below 5.0, system is vulnerable.

Check Version:

Check Joomla! admin panel or examine component XML file at /components/com_admirorframes/admirorframes.xml

Verify Fix Applied:

After updating, verify AdmirorFrames version shows 5.0 or higher in Joomla! extensions manager.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to afGdStream.php with HTML/script content in parameters
Multiple failed attempts to access the vulnerable endpoint

Network Indicators:

HTTP requests containing script tags or JavaScript in image data parameters to afGdStream.php

SIEM Query:

source="web_server_logs" AND uri="*afGdStream.php*" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-5737

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 28, 2024

Last Updated: November 21, 2024

🔗 References

https://cert.pl/en/posts/2024/06/CVE-2024-5735/ Third Party Advisory
https://cert.pl/posts/2024/06/CVE-2024-5735/ Third Party Advisory
https://github.com/afine-com/CVE-2024-5737 Exploit,Third Party Advisory
https://github.com/sectroyer/CVEs/tree/main/CVE-2024-5737 Exploit,Third Party Advisory
https://github.com/vasiljevski/admirorframes/issues/3 Issue Tracking
https://cert.pl/en/posts/2024/06/CVE-2024-5735/ Third Party Advisory
https://cert.pl/posts/2024/06/CVE-2024-5735/ Third Party Advisory
https://github.com/afine-com/CVE-2024-5737 Exploit,Third Party Advisory
https://github.com/sectroyer/CVEs/tree/main/CVE-2024-5737 Exploit,Third Party Advisory
https://github.com/vasiljevski/admirorframes/issues/3 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5737, you might also want to check these: