Helix3 Extension For Joomla
Monthly
Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. There is no public exploit identified at time of analysis, but the issue is automatable per CISA SSVC and carries a CVSS 7.5 (High) due to its network-reachable, unauthenticated integrity impact.
Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. There is no public exploit identified at time of analysis, but the issue is automatable per CISA SSVC and carries a CVSS 7.5 (High) due to its network-reachable, unauthenticated integrity impact.