This module abuses insufficient validation in the unauthenticated JCE profiles.import endpoint to upload a crafted profile file with a PHP extension. When the file is written under the Joomla tmp directory and executed by the web server, it provides a command execution primitive. 1. Fingerprints the JCE Editor component and checks the detected version. 2. Extracts a Joomla CSRF token from the site root. 3. Uploads a PHP command runner through the vulnerable profiles.import task. 4. Verifies code execution from the Joomla tmp directory. 5. Detects the target operating system through the command runner. 6. Uses the resulting command primitive to commit an OSCI agent or deploy a network agent.
CVE Link
Exploit Type
Product Name