• Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 through 3.8.7
  • Exploit type: Information Disclosure
  • Reported Date: 2018-February-09
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11325

Description

The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sascha Egerer