{
  "parent_root_cause": "Missing authorization on com_pagebuilderck ajax controller endpoints: CKBrowse::ajaxAddPicture() performs an arbitrary file upload (attacker-controlled path, filename including extension, and content) with only a guest-obtainable CSRF token and no core.edit authorization check, enabling unauthenticated PHP web shell upload -> RCE.",
  "variant_root_cause": "Same missing-authorization class on alternate ajax endpoints (fonts.save, pixabay.upload, browse.ajaxCreateFolder, frontedition.createModule, ajaxParamsCall gadget) on the vulnerable version. However, only ajaxAddPicture accepts an attacker-controlled file EXTENSION (its extension allowlist is commented out), so only ajaxAddPicture can deliver a .php web shell -> RCE. The other sinks force safe extensions (.css/.txt/font/img) or perform DB-only writes.",
  "shared_sink": "CKBrowse::ajaxAddPicture() file_put_contents(JPATH_SITE . imgpath . filename, object->data) with attacker-controlled filename extension",
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "fix_covers_sink": true,
  "fix_covers_alternate_triggers": true,
  "bypass_found": false,
  "explanation": "The fix's central CKController::execute() check (if ($task !== 'display') CKFof::checkSecurity()) authorizes every non-display task, covering ajaxAddPicture and all surveyed alternate triggers. The display-task exemption only renders views and writes no .php file. No alternate sink can deliver a .php web shell because they force safe extensions or fixed paths. Therefore the variants share the missing-authz root cause but are NOT RCE-capable and NOT bypasses of the fix."
}
