{
  "variant_id": "pruva-cve-2026-48939-image-field-negative",
  "created_at": "2026-07-06T15:15:00Z",
  "variant_summary": "Negative variant result: the alternate unauthenticated public jform[image] upload field accepts a GIF/PHP polyglot but stores it as .gif and does not execute PHP on iCagenda 4.0.7 or fixed 4.0.8.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://www.joomlic.com/download/icagenda",
  "submitted_target": {
    "target_kind": "release_package",
    "version": "4.0.7",
    "ref": "package-icagenda-core-4-0-7-zip",
    "display": "Official iCagenda 4.0.7 package; SHA-256 f12e38d16f7c6cdf9bfd4bde9ab2351f8123c78e09b1db0846371eb42fb30537"
  },
  "variant_target": {
    "target_kind": "release_package",
    "version": "4.0.8",
    "ref": "package-icagenda-core-4-0-8-zip",
    "display": "Official iCagenda 4.0.8 fixed package; SHA-256 be3788daaef85b903b540685eebeec2bf3257ed2cc02159f11fbddf5e707ce74"
  },
  "same_root_cause_confidence": "low",
  "same_surface_confidence": "medium",
  "claimed_surface": "Unauthenticated public event submission attachment field jform[file] stores arbitrary PHP under web-accessible attachments directory.",
  "validated_surface": "Unauthenticated public event submission image field jform[image] stores a GIF/PHP polyglot as .gif under web-accessible images directory but does not execute PHP.",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "/index.php?option=com_icagenda&task=submit.submit multipart field jform[image]",
  "attacker_controlled_input": "Multipart upload field jform[image] with filename pruva-image-field-<role>.php, type image/gif, and GIF/PHP polyglot content.",
  "trigger_path": [
    "site/src/Controller/SubmitController.php::submit",
    "site/src/Model/SubmitModel.php::submit",
    "site/src/Model/SubmitModel.php::frontendImageUpload",
    "Joomla\\Filesystem\\File::upload"
  ],
  "observed_impact_class": "none",
  "exploitability_confidence": "none",
  "evidence_scope": "runtime_negative_control",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "The alternate field did not preserve a PHP extension and did not execute as PHP on the tested runtime. No fixed-version bypass was reproduced.",
  "blocking_mitigation": "Image path rewrites the file to a detected image extension and Apache/PHP serves .gif statically; fixed attachment path uses MediaHelper::canUpload().",
  "file_path": "site/src/Model/SubmitModel.php",
  "line_start": 1305,
  "line_end": 1403,
  "secondary_anchors": [
    {
      "file_path": "site/src/Model/SubmitModel.php",
      "line_start": 1413,
      "line_end": 1505
    },
    {
      "file_path": "admin/src/Model/EventModel.php",
      "line_start": 896,
      "line_end": 912
    },
    {
      "file_path": "site/src/Controller/SubmitController.php",
      "line_start": 68,
      "line_end": 148
    }
  ],
  "review_scope_paths": [
    "site/src/Model/SubmitModel.php",
    "site/src/Controller/SubmitController.php",
    "admin/src/Model/EventModel.php",
    "site/forms/submit.xml",
    "admin/forms/event.xml"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
