{"id":"CVE-2020-11891","details":"An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.","aliases":["BIT-joomla-2020-11891"],"modified":"2026-04-11T22:57:31.487505Z","published":"2020-04-21T17:15:12.757Z","references":[{"type":"ADVISORY","url":"https://developer.joomla.org/security-centre/809-20200401-core-incorrect-access-control-in-com-users-access-level-editing-function.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/joomla/joomla-cms","events":[{"introduced":"28aef911901979246d398f0580c436c87dfec59d"},{"fixed":"7b010b41500bc916273ea82c0ba58bd57a1fe4ce"}],"database_specific":{"cpe":"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"3.8.8"},{"fixed":"3.9.17"}],"source":"CPE_FIELD"}}],"versions":["3.8.10","3.8.11","3.8.11-rc","3.8.12","3.8.12-rc","3.8.8","3.8.9","3.8.9-rc","3.9.0","3.9.0-beta","3.9.0-beta2","3.9.0-beta3","3.9.0-beta4","3.9.0-rc","3.9.0-rc2","3.9.1","3.9.1-rc","3.9.10","3.9.11","3.9.11-rc","3.9.12","3.9.12-rc","3.9.13","3.9.13-rc","3.9.13-rc2","3.9.14","3.9.14-rc","3.9.15","3.9.15-rc","3.9.16","3.9.16-rc","3.9.17-rc","3.9.2","3.9.2-rc","3.9.3","3.9.3-rc","3.9.4","3.9.4-rc","3.9.5","3.9.5-rc","3.9.6","3.9.6-rc","3.9.6-rc2","3.9.7","3.9.7-rc","3.9.8","3.9.9","3.9.9-rc","issues-241-257"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11891.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}