[20200401] - Core - Incorrect access control in com_users access level editing function

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 3.8.8 - 3.9.16
Exploit type: Incorrect Access Control
Reported Date: 2020-March-13
Fixed Date: 2020-April-21
CVE Number: CVE-2020-11891

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.

Affected Installs

Joomla! CMS versions 3.8.8 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC