Rule History

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla JS jobs Plugin jsjobs GDPR Multiple Parameters SQL Injection Attempt (CVE-2025-22206, CVE-2025-22208)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/administrator/index.php"; http.request_body; content:"option|3d|com_jsjobs"; fast_pattern; pcre:"/(?:fieldfor|filter_email)\x3d[^\x3c]*?(?:\x27|%27|\x2d{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT))|U(?:NION\x20SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/i"; reference:cve,2025-22206; reference:cve,2025-22208; reference:url,github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22208; classtype:web-application-attack; sid:2063646; rev:1; metadata:affected_product Joomla, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_07_21, cve CVE_2025_22208, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)