• Project: Joomla!
• SubProject: CMS
• Impact: High
• Severity: Low
• Versions: 2.5.0 - 3.9.27
• Exploit type: Incorrect Access Control
• Reported Date: 2021-06-06
• Fixed Date: 2021-07-06
• CVE Number: CVE-2021-26038

Description

Install action in com_installer lack the required hardcoded ACL checks for superusers, leading to various potential attack vectors. A default system is not affected cause by default com_installer is limited to super users already.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.27

Solution

Upgrade to version 3.9.28

Contact

The JSST at the Joomla! Security Centre.