Joomla! Core improper access check in webservice endpoints
Description
Joomla! Core versions 4.0.0 through 4.2.7 contain an improper access control vulnerability in their webservice endpoints. This authentication bypass flaw allows unauthenticated remote attackers to access API endpoints that should require authentication, potentially exposing sensitive configuration details and system information about the Joomla! installation. The vulnerability was addressed in version 4.2.8.
Remediation
Immediately upgrade all affected Joomla! installations to version 4.2.8 or later. To perform the upgrade:
1. Back up your Joomla! installation and database before proceeding
2. Navigate to System → Update → Joomla in the administrator panel
3. Click 'Install the Update' to upgrade to version 4.2.8 or higher
4. Alternatively, download the latest version from the official Joomla! website and perform a manual upgrade
5. After upgrading, verify the installation is running version 4.2.8 or later in System → System Information
6. Review access logs for any suspicious API requests to webservice endpoints that may indicate prior exploitation
If immediate patching is not possible, consider implementing temporary network-level restrictions to limit access to webservice endpoints until the upgrade can be completed.