- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.9.2
- Exploit type: Object Injection
- Reported Date: 2019-January-18
- Fixed Date: 2019-February-12
- CVE Number: CVE-2019-7743
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
Joomla! CMS versions 2.5.0 through 3.9.2
Upgrade to version 3.9.3
The JSST at the Joomla! Security Centre.
Reported By: David Jardin (JSST)