PatchSiren cyber security CVE debrief
CVE-2018-25354 Jomres CVE debrief
CVE-2018-25354 documents a cross-site request forgery (CSRF) vulnerability in Jomres 9.11.2, a Joomla component for hotel and property management. The flaw allows attackers to modify authenticated user account information—including passwords, email addresses, and profile details—by inducing victims to visit malicious pages containing crafted HTML forms targeting the account/index endpoint. The vulnerability stems from insufficient validation of state-changing requests, enabling attackers to exploit the victim's existing authenticated session without their knowledge or consent. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and no user interaction needed for the attacker, with impacts to integrity and availability. The vulnerability was disclosed in 2018 but received updated NVD entries in May 2026 with deferred status.
- Vendor
- Jomres
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Organizations running Jomres 9.11.2 on Joomla installations, particularly those in hospitality and property management sectors. Security teams responsible for Joomla ecosystem applications. Developers maintaining Jomres deployments or forked versions.
Technical summary
Jomres 9.11.2 fails to implement adequate CSRF protections on the account/index endpoint. An attacker can construct a malicious HTML form with hidden fields corresponding to account modification parameters (password, email, profile data). When an authenticated Jomres user visits the attacker's page, the form submits automatically to the vulnerable endpoint, leveraging the victim's active session cookie to execute unauthorized changes. The attack requires no user interaction beyond page load and can be delivered through standard web vectors including phishing emails, malicious advertisements, or compromised legitimate sites. The vulnerability is exploitable remotely with low complexity.
Defensive priority
medium
Recommended defensive actions
- Apply CSRF protection tokens to all state-changing endpoints in Jomres, particularly the account/index endpoint
- Validate the Origin and Referer headers for sensitive requests
- Implement SameSite cookie attributes for session management
- Review and update Jomres to a patched version if available from the vendor
- Conduct security assessment of other Jomres endpoints for similar CSRF vulnerabilities
- Enable logging and monitoring for suspicious account modification requests
Evidence notes
The vulnerability is classified as CWE-352 (Cross-Site Request Forgery). Source references include the Joomla Extensions Directory listing for Jomres, an Exploit-DB entry, the vendor website, and a VulnCheck advisory. The CVSS 4.0 score of 5.3 reflects medium severity with integrity and availability impacts. No known exploitation in ransomware campaigns has been documented (KEV: false).
Official resources
CVE-2018-25354 was published on 2026-05-23 and last modified on 2026-05-26. The vulnerability affects Jomres 9.11.2, a Joomla extension. The NVD entry currently carries a 'Deferred' status, indicating the vulnerability is under review or re