[20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity:High
  • Versions: 3.2.0 through 3.9.4
  • Exploit type: ACL Violation
  • Reported Date: 2019-March-13
  • Fixed Date: 2019-April-08
  • CVE Number:CVE-2019-10946

Description

The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.

Affected

Installs

Joomla! CMS versions 3.2.0 through 3.9.4

Solution

Upgrade to version 3.9.5

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle (JSST)