Millions of websites used in e-commerce and other sensitive industries are vulnerable to remote take-over hacks made possible by a critical vulnerability that has affected the Joomla content management system for almost two years.
The SQL-injection vulnerability was patched by Joomla on Thursday with the release of version 3.4.5. The vulnerability, which allows attackers to execute malicious code on servers running Joomla, was first introduced in version 3.2 released in early November 2013. Joomla is used by an estimated 2.8 million websites.
"Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable," Asaf Orpani, a researcher inside Trustwave's Spiderlabs, wrote in a blog post (the post appears to be offline at the moment, but it was working through most of Friday morning). The vulnerability, and two closely related security flaws, have been cataloged as CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858.