[20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users - Applicacious

[20190402] – Core – Helpsites refresh endpoint callable for unauthenticated users

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: High
  • Versions: 3.2.0 through 3.9.4
  • Exploit type: ACL Violation
  • Reported Date: 2019-March-13
  • Fixed Date: 2019-April-08
  • CVE Number: CVE-2019-10946

Description

The “refresh list of helpsites” endpoint of com_users lacks access checks, allowing calls from unauthenticated users.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.9.4

Solution

Upgrade to version 3.9.5

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle (JSST)
  • in Blog
  • by
  • April 9, 2019
  • Comments Off on [20190402] – Core – Helpsites refresh endpoint callable for unauthenticated users

Comments are closed.

%d bloggers like this: