Securi researchers spotted a critical SQL injection vulnerability in Joomla! 3.7.0 which could easily be exploited and doesn't require a privileged account on the victim's site.
Researchers said the vulnerability is caused by the public-facing com_fields component in version 3.7. which could allow an attacker to leak password hashes or hijack a logged-in user's session resulting in a full account compromise, according to a May 17 blog post.
“The public-facing com_fields component borrows some views from the administrative side component of the same name,” researchers said in the post. “While this may sound like an odd thing to do, it serves a very practical purpose – it allows the reuse of generic code that was written for the other side, instead of writing it from scratch again.”
Joomla patched the issue in version 3.7.1 along with a host of other issues including fixing the attribute checks in the new calendar, injecting the JInput dependency into the session handler, and fixing the b/c break in JMenuItem. The update also fixed the article ordering in the backend, millisecond handling in for PHP Versions lower to 7.1.0, and the JFilterInput adding byte offsets to character offset.
Other fixes included the redirection fails on multiple status values produced by old FOF2 Extensions and removing the empty locked cache file if callback function terminate process.
Users are encouraged to update to the latest version as soon as possible.