Joomla Component jomres 9.11.2 Cross-Site Request Forgery

Vulnerability

Joomla! Component jomres version 9.11.2 contains a cross-site request forgery (CSRF) vulnerability in the account/index endpoint. The application does not implement anti-CSRF tokens or other request validation mechanisms, allowing an attacker to craft HTML forms that, when submitted by an authenticated victim, perform unauthorized modifications to the victim's account details [1], [2].

Exploitation

An attacker must host a malicious HTML page containing a form that automatically submits POST requests to the index.php?cmd=account/index endpoint of the vulnerable jomres installation. The form includes hidden fields for password, email, name, company, address, and other profile details. The attacker can lure an authenticated jomres user (e.g., via social engineering) into visiting the malicious page; no additional authentication or interaction beyond page visit is required, as the form submits automatically via JavaScript [1].

Impact

Upon successful exploitation, the attacker gains the ability to change the victim's password, email address, and other profile settings without the victim's knowledge or consent. This can lead to account takeover, privilege escalation (if the account has administrative roles), and further compromise of the Joomla instance [1], [2].

Mitigation

The vendor has not released a patched version as of the available references. Users should apply input validation and add CSRF tokens to all state-changing requests, especially the account/index endpoint. Until a fix is available, consider using browser extensions or Web Application Firewall (WAF) rules to block requests from external origins to sensitive endpoints. Alternatively, upgrade to a more recent version of jomres if a security fix has been released [1], [2].