False CVE report on K2 v2.8.0

  • Fotis
  • Fotis's Avatar Topic Author
  • Offline
  • Administrator
  • JoomlaWorks Support Team
1 year 9 months ago - 1 year 9 months ago #166906 by Fotis
Fotis created the topic: False CVE report on K2 v2.8.0
A false CVE report on K2 v2.8.0 has spread in some CVE databases (e.g. - albeit with a "pending verification" status) but rest assured that IT IS NOT a valid vulnerability.

The Joomla VEL team contacted us originally on Tuesday Feb 27th to verify the report, however tests from both sides revealed that indeed it's not a valid one. Any attempt to download files that are located outside of /images (or whichever path you've set for the Joomla media manager in Joomla's Global Configuration) is blocked. Thus no CMS files or other important files outside the CMS directory (e.g. outside /public_html commonly used in hosts worldwide) can be retrieved.

The report claims it is possible to download any file from a site running K2 via its media manager, but in reality, it's ONLY possible to download files stored inside the public /images folder, in other words only static files meant to distribute publicly either way. which is how things are supposed to work either way. Keep in mind that K2 will automatically use whichever folder is set as the Joomla media manager path in Joomla's Global Configuration and additionally, Joomla will never allow a site admin to accidentally use / as the path for the media manager.

For those that may host sensitive files inside /images, e.g. .php files, first off, it's bad practise, don't do it. This folder is meant to store files that are generally distributed publicly and can be browsed by registered users. Secondly, since you can ONLY browse static media file types through the K2 media manager (e.g. images, videos, documents, html or compressed files), unless someone knows you keep sensitive files in /images and where exactly, it's impossible to download them. But even for such edge cases, where the site admin has left .php files inside /images, we have added an extra check in K2 in the upcoming version 2.8.1 which will stop any such activity. You can see the commit in the K2 repo on GitHub here:

If you believe that your site may host sensitive files inside the /images folder, you can go ahead and install on top of K2 v2.8.0 the dev release of K2 v2.8.1 from:

As always, we take security very seriously for all our products.

If you use & love K2, please take a moment to add your review and rate it
at the Joomla Extensions Directory:

IMPORTANT: Please search the forum before posting a question!

JoomlaWorks Support Team Member
Last edit: 1 year 9 months ago by Fotis.

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum