Add JCE profiles.import unauthenticated RCE module#21615
Open
15py15py15py wants to merge 6 commits into
Open
Conversation
- Fix nil guard, extension regex, and error message punctuation - Correct doc inaccuracies: remove non-existent .phtm, clarify FILENAME default - Address msftidy warnings and reflow doc line wrapping
msutovsky-r7
reviewed
Jul 1, 2026
| 'uri' => normalize_uri(target_uri.path, 'tmp', filename) | ||
| ) | ||
|
|
||
| return CheckCode::Safe('Target does not allow direct access of uploaded files.') unless res && res.code != 403 |
Contributor
There was a problem hiding this comment.
Suggested change
| return CheckCode::Safe('Target does not allow direct access of uploaded files.') unless res && res.code != 403 | |
| return CheckCode::Safe('Target does not allow direct access of uploaded files.') unless res&.code != 403 |
Author
There was a problem hiding this comment.
I think this case is different. Requests to tmp/ can sometimes just be refused or timed out and the shortened version would miss those cases. Maybe we leave it as is?
Author
|
I hope I got everything right. Thanks for your patience. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds an exploit module for CVE-2026-48907, an unauthenticated arbitrary profile creation vulnerability in the JCE (Joomla Content Editor) extension for Joomla!.
The
profiles.importtask fails to enforce authentication, allowing the import of a crafted profile that is directly written to disk as a PHP web shell. This results in remote code execution, provided that thetmp/directory is not explicitly restricted. JCE versions up to and including 2.9.99.4 are affected.Breaking Changes
None
Verification Steps
check. Expected output confirms the target is vulnerable and reports the detected JCE version.exploitand confirm that a Meterpreter session opens successfully.Test Evidence
Environment
AI Usage Disclosure
AI was used to proofread and refine the PR description and module documentation. No AI assistance was used in writing or modifying the module code itself.
Pre-Submission Checklist
documentation/modules(new modules only)lib/changes)