[20181002] - Core - Inadequate default access level for com_joomlaupdate

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Low
Versions: 2.5.4 through 3.8.12
Exploit type: Object Injection
Reported Date: 2018-June-21
Fixed Date: 2018-October-02
CVE Number: CVE-2018-17856

Description

Joomla’s com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled access of Administrator-level users to access com_joomlaupdate and trigger a code execution.

Affected Installs

Joomla! CMS versions 2.5.4 through 3.8.12

Solution

Upgrade to version 3.8.13

Contact

The JSST at the Joomla! Security Centre.

Reported By: Codesafescan