Description

In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.

Remediation

References

CVE-2019-14654

Related Vulnerabilities

WordPress Plugin Yoast SEO Cross-Site Scripting (3.4.0)

Magento Session Fixation Vulnerability (CVE-2019-7849)

Drupal Core 7.x Cross-Site Scripting (7.0 - 7.64)

WordPress Plugin FireStorm Professional Real Estate 'id' Parameter SQL Injection (2.06.03)

Nginx Improper Input Validation Vulnerability (CVE-2011-4968)

Severity

High

Classification

CVE-2019-14654 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities