[20190501] - Core - XSS in com_users ACL debug views

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity:Low
  • Versions: 1.7.0 through 3.9.5
  • Exploit type: XSS
  • Reported Date: 2019-April-29
  • Fixed Date: 2019-May-07
  • CVE Number:CVE-2019-11809

Description

The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS

attack vector.

Affected Installs

Joomla! CMS versions 1.7.0 through 3.9.5

Solution

Upgrade to version 3.9.6

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)