A security flaw has been discovered in Joomla version 3.5.0 through 3.8.5.
It has been assigned [CVE-2018-8045].
The User notes list view is missing a type casting of a variable which can lead to an SQL injection.
This means that somebody can make changes or read out data from your Joomla database without permission.
It can be achieved by simply calling the User notes list view with specially crafted parameters.
The Joomla team considers the severity of the flaw as low.
Here are some basic notes on how I accomplished this:
I’m using a file called loader.php located in the library path in my component Directory. I call it from my main controller file like this:
As you can see I just copied the PFBC folder into a folder called 3rdparty within my Joomla component folder. Now you can use PFBC anywhere in your component by creating the object like this and add a field for example: