CVE-2017-18345

CRITICAL

joomanager < 2.0.0 - Unauthenticated Arbitrary File Download via configuration.php Path Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-18345. PoCs published by Luth1er.

AI-analyzed exploit summary This Python script exploits an arbitrary file download vulnerability in the Joomla component 'com_joomanager'. It constructs a malicious URL to download sensitive files like 'configuration.php' by manipulating the 'path' parameter.

Description

The Joomanager component through 2.0.0 for Joomla! has an arbitrary file download issue, resulting in exposing the credentials of the database via an index.php?option=com_joomanager&controller=details&task=download&path=configuration.php request.

Exploits (2)

exploitdb WORKING POC
by Luth1er · pythonwebappsphp
https://www.exploit-db.com/exploits/44252

This Python script exploits an arbitrary file download vulnerability in the Joomla component 'com_joomanager'. It constructs a malicious URL to download sensitive files like 'configuration.php' by manipulating the 'path' parameter.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Joomla with com_joomanager component
No auth needed
Prerequisites: Target URL with vulnerable Joomla component
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by Luth1er · poc
https://github.com/Luth1er/CVE-2017-18345-COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD

This is a Python-based exploit for CVE-2017-18345, targeting an arbitrary file download vulnerability in the Joomla component 'com_joomanager'. The script automates the exploitation process by sending crafted requests to download sensitive files like 'configuration.php'.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Joomla with com_joomanager component
No auth needed
Prerequisites: Target URL with vulnerable 'com_joomanager' component
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://vel.joomla.org/vel-blog/2020-joomanager-2-0-0-other
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44252
Exploit, Third Party Advisory x_refsource_misc
https://cxsecurity.com/issue/WLB-2018030054

Scores

CVSS v3 9.8
EPSS 0.0297
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (1)
joomanager_project/joomanager < 2.0.0
Published Aug 26, 2018
Tracked Since Feb 18, 2026