🔴 Critical  |  Source: The Register — Security


Attackers are actively exploiting critical vulnerabilities (CVSS 10.0) in two popular Joomla extensions — iCagenda and Balbooa Forms — to compromise websites running the open-source CMS. Joomla powers approximately one million sites worldwide, making the blast radius of these flaws considerable. The perfect severity scores indicate these bugs are trivially exploitable and require no authentication or special privileges.

Security Architect’s Take: If your organisation hosts or manages any Joomla-based sites, audit installed extensions immediately and apply patches for iCagenda and Balbooa Forms without delay. Where immediate patching isn’t possible, use a web application firewall (WAF) to block exploit attempts and consider temporarily disabling the affected extensions until remediation is confirmed.

Original advisory: Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites