vulnerability

Joomla!: [20190701] - Core - Filter attribute in subform fields allows remote code execution (CVE-2019-14654)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Jul 10, 2019

Added

Jul 10, 2019

Modified

Mar 30, 2026

Description

In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.

Solution

joomla-upgrade-3_9_9

References

CVE-2019-14654
https://attackerkb.com/topics/CVE-2019-14654
EUVD-EUVD-2019-5814
http://developer.joomla.org/security-centre/787-20190701-core-filter-attribute-in-subform-fields-allows-remote-code-execution.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2019-5814

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report