[20180506] - Core - Filter field in com_fields allows remote code execution

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 3.7.0 through 3.8.7
Exploit type: Remote Code Execution
Reported Date: 2018-May-14
Fixed Date: 2018-May-22
CVE Number: CVE-2018-11321

Description

Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST