Description
Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with hidden fields to change passwords, email addresses, and profile details without user consent.
Published: 2026-05-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla Component jomres 9.11.2 contains a cross‑site request forgery flaw that lets an attacker alter the password, e‑mail address, or profile details of any authenticated user who visits a crafted HTML form. The vulnerability does not grant arbitrary code execution but permits unauthorized changes to user credentials and personal information.

Affected Systems

Any Joomla site that installs the Jomres component version 9.11.2 is vulnerable. The flaw specifically affects this version of Jomres; later releases that remove the missing CSRF checks are not impacted.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. EPSS is not available, and the issue is not listed in CISA KEV, suggesting limited public exploitation data. The attack requires an authenticated user to visit a malicious page, so the likelihood is constrained by user behavior. Nonetheless, an attacker who successfully deceives a target can corrupt account data and potentially facilitate further attacks such as social‑engineering or phishing.

Generated by OpenCVE AI on May 23, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jomres component to a version that addresses the CSRF flaw (contact the vendor for the latest release or apply any available patch).
  • Enable Joomla’s native CSRF protection and confirm that the Jomres component honors CSRF tokens for all account‑modification requests.
  • Limit the roles that can change account credentials and monitor for unexpected changes.

Generated by OpenCVE AI on May 23, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with hidden fields to change passwords, email addresses, and profile details without user consent.
Title Joomla Component jomres 9.11.2 Cross-Site Request Forgery
First Time appeared Jomres
Jomres jomres
Weaknesses CWE-352
CPEs cpe:2.3:a:jomres:jomres:-:*:*:*:*:joomla\!:*:*
cpe:2.3:a:jomres:jomres:9.11.2:*:*:*:*:*:*:*
Vendors & Products Jomres
Jomres jomres
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Jomres Jomres
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:54.229Z

Reserved: 2026-05-23T16:21:11.575Z

Link: CVE-2018-25354

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses