CVE-2019-14654

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-14654

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14654.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-14654

Published

2019-08-05T01:15:10.657Z

Modified

2026-04-10T04:12:23.093274Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.

References

https://developer.joomla.org/security-centre/787-20190701-core-filter-attribute-in-subform-fields-allows-remote-code-execution.html

Affected packages

Git / github.com/joomla/joomla-cms

Affected ranges

Type

GIT

Repo

https://github.com/joomla/joomla-cms

Events

Introduced

Last affected

b06019e83efc67e06e694753ab114d7c98eaf5cf

Introduced

Last affected

83c87ac471a4b2f106d2884c9bc7bb5305e740fc

Introduced

Last affected

bbc22b9b31953f10f9615b68a700242c23b2fa86

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.9.7-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.9.7-rc"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.9.8"
        }
    ]
}

Affected versions

1.*

1.7.3

2.*

2.5.0

2.5.0_beta1

2.5.0_beta2

2.5.1

2.5.4

2.5.5

2.5.6

3.*

3.0.0

3.0.0_alpha-1

3.0.0_alpha-2

3.0.0_beta1

3.0.1

3.0.3

3.1.0_beta1

3.1.0_beta2

3.1.0_beta3

3.1.0_beta4

3.1.0_beta5

3.1.1

3.1.5

3.2.0

3.2.0.alpha

3.2.0.beta

3.2.0.rc

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.4.0

3.4.0-beta1

3.4.0-beta2

3.4.0-beta3

3.4.0-rc

3.4.1

3.4.1-rc

3.4.1-rc2

3.4.2

3.4.2-rc

3.4.3

3.4.4

3.4.4-rc

3.4.4-rc2

3.4.5

3.5.0

3.5.0-beta

3.5.0-beta2

3.5.0-beta3

3.5.0-beta4

3.5.0-beta5

3.5.0-rc

3.5.0-rc2

3.5.0-rc4

3.5.1

3.5.1-rc

3.5.1-rc2

3.6.0

3.6.0-alpha

3.6.0-beta1

3.6.0-beta2

3.6.0-rc

3.6.0-rc2

3.6.1

3.6.1-rc1

3.6.1-rc2

3.6.2

3.6.3

3.6.3-rc1

3.6.3-rc2

3.6.3-rc3

3.7.0

3.7.0-alpha1

3.7.0-beta1

3.7.0-beta2

3.7.0-beta3

3.7.0-beta4

3.7.0-rc1

3.7.0-rc2

3.7.0-rc3

3.7.0-rc4

3.7.1

3.7.1-rc1

3.7.1-rc2

3.7.2

3.7.3

3.7.3-beta1

3.7.3-rc1

3.7.3-rc2

3.7.4-beta1

3.7.4-rc1

3.8.0

3.8.0-beta1

3.8.0-beta2

3.8.0-beta3

3.8.0-beta4

3.8.0-rc1

3.8.1

3.8.1-rc

3.8.10

3.8.11

3.8.11-rc

3.8.12

3.8.12-rc

3.8.2

3.8.2-rc

3.8.3

3.8.3-rc

3.8.4

3.8.4-rc

3.8.4-rc2

3.8.5

3.8.5-rc

3.8.6

3.8.6-rc1

3.8.7

3.8.7-rc

3.8.8

3.8.8-rc

3.8.9

3.8.9-rc

3.9.0

3.9.0-beta

3.9.0-beta2

3.9.0-beta3

3.9.0-beta4

3.9.0-rc

3.9.0-rc2

3.9.1

3.9.1-rc

3.9.2

3.9.2-rc

3.9.3

3.9.3-rc

3.9.4

3.9.4-rc

3.9.5

3.9.5-rc

3.9.6

3.9.6-rc

3.9.6-rc2

3.9.7

3.9.7-rc

3.9.8

Other

issues-241-257

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14654.json"