1 article with this tag
iCagenda (Joomla events-calendar extension) 3.2.1–3.9.14 and 4.0.0–4.0.7 has an unauthenticated arbitrary file upload → RCE (CVSS 10.0, in CISA KEV). Access control on the public event-registration form's attachment handler was reportedly enforced only at the view layer, not the controller. The real fix is updating to 3.9.15 or 4.0.8, plus a compromise check. The durable defense is designing out the 'unauthenticated upload → RCE' pattern.