GHSA-x6c6-vg4w-8r3rMediumCVSS 6.5
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A...
🔗 CVE IDs covered (1)
📋 Description
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plg_user_k2. A Registered Joomla user, by including the field K2UserForm=1 in a standard com_users profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users table — none of which are exposed by the K2 frontend profile-edit form.