Joomla bug notes

com_contact access-control bypass

Short version: Joomla can deny a guest access to a Registered-only contact page, but still hand the same guest another representation of that contact through format=vcf. The clean proof is HTML=403 VCF=200 with a returned BEGIN:VCARD body.

This is not just a bad link. The HTML contact view enforces the contact and category access check, while the vCard view loads the contact model and emits fields without the same authorization decision.

If a site only stores public sales contact details, impact can be low. But Registered-only contacts are often used for staff directories, internal departments, teachers, doctors, tenants, members, volunteers, private office locations, or customer-facing reps. In those cases the vCard can leak personal data like names, work or personal email, phone, mobile, fax, job title, postal address, and URLs.

The stronger security point is the broken privacy boundary: Joomla says the guest cannot view the contact, but a direct output format still gives the guest the data.