- Project: Joomla!
- SubProject: CMS
- Severity: High
- Versions: 1.6.0 through 3.6.4
- Exploit type: Elevated Privileges
- Reported Date: 2016-November-04
- Fixed Date: 2016-December-06
- CVE Number: CVE-2016-9838
Description
Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
Affected Installs
Joomla! CMS versions 1.6.0 through 3.6.4
Solution
Upgrade to version 3.6.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: @iamsecurity