Description
The Joomla security team have released a new version of Joomla to patch a critical remote command execution vulnerability that affects all versions from 1.5 to 3.4. Browser information is not filtered properly while saving the session values into the database which leads to a remote code execution vulnerability.
Remediation
Upgrade to Joomla! CMS version 3.4.6. If you are using the old (unsupported) versions 1.5.x and 2.5.x, you have to apply the hotfixes listed in the Web references section.
References
Security hotfixes for Joomla EOL versions
[20151201] - Core - Remote Code Execution Vulnerability
Critical 0-day Remote Command Execution Vulnerability in Joomla
Related Vulnerabilities
Zenphoto Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2012-0993)
Apache Unomi MVEL RCE (CVE-2020-13942)
vBulletin Pre-Auth RCE Vulnerability
Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface
WordPress Plugin Gutenberg Block Editor Toolkit-EditorsKit Remote Code Execution (1.31.5)