- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: High
- Versions: 3.2.0 through 3.9.4
- Exploit type: ACL Violation
- Reported Date: 2019-March-13
- Fixed Date: 2019-April-08
- CVE Number: CVE-2019-10946
The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
Joomla! CMS versions 3.2.0 through 3.9.4
Upgrade to version 3.9.5
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle (JSST)