[20190701] – Core – Filter attribute in subform fields allows remote code execution

[20190701] – Core – Filter attribute in subform fields allows remote code execution

July 9, 2019 Miscellaneous Security 0
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.9.7 – 3.9.8
  • Exploit type: Remote Code Execution
  • Reported Date: 2019-June-20
  • Fixed Date: 2019-July-09
  • CVE Number: TBA

Description

Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

Affected Installs

Joomla! CMS versions 3.9.7 – 3.9.8

Solution

Upgrade to version 3.9.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST