Joomla Jomres Component Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Joomla Jomres component version 9.11.2. This vulnerability allows attackers to manipulate user account information by deceiving authenticated users into visiting harmful pages. Exploitation involves crafting HTML forms with hidden fields that target the account/index endpoint, enabling the unauthorized alteration of passwords, email addresses, and profile details.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of user account information, including passwords and email addresses.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious webpage that includes an HTML form pre-filled with the target user's account information. This form should be set to submit automatically to the Joomla account/index endpoint. When the victim visits the page, the form will be submitted without their consent, thereby changing the user's account details as specified in the form.