Phoca Cz Phoca Download Extension For Joomla
Monthly
Arbitrary file upload in the Phoca Download extension for Joomla lets any authenticated registered user upload executable files (e.g. PHP) that the server will run, yielding full remote code execution. The flaw is scored 9.0 (CVSS 4.0) and is exploitable over the network by low-privilege accounts, so any site permitting self-registration is directly at risk. A public technical write-up describing the RCE technique exists, though no active exploitation has been confirmed by CISA KEV.
Arbitrary file upload in the Phoca Download extension for Joomla lets any authenticated registered user upload executable files (e.g. PHP) that the server will run, yielding full remote code execution. The flaw is scored 9.0 (CVSS 4.0) and is exploitable over the network by low-privilege accounts, so any site permitting self-registration is directly at risk. A public technical write-up describing the RCE technique exists, though no active exploitation has been confirmed by CISA KEV.