[20190701] - Core - Filter attribute in subform fields allows remote code execution

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 3.9.7 - 3.9.8
Exploit type: Remote Code Execution
Reported Date: 2019-June-20
Fixed Date: 2019-July-09
CVE Number: CVE-2019-14654

Description

Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

Affected Installs

Joomla! CMS versions 3.9.7 - 3.9.8

Solution

Upgrade to version 3.9.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST