A security flaw has been discovered in Joomla version 3.5.0 through 3.8.5.
It has been assigned [CVE-2018-8045].
The User notes list view is missing a type casting of a variable which can lead to an SQL injection.
This means that somebody can make changes or read out data from your Joomla database without permission.
It can be achieved by simply calling the User notes list view with specially crafted parameters.
The Joomla team considers the severity of the flaw as low.