The Session package 1.x before 1.3.1 for Joomla! Framework allows remote attackers to execute arbitrary code via unspecified session values.
developer.joomla.org/security-centre/637-20151205-session-remote-code-execution-vulnerability.html
github.com/FriendsOfPHP/security-advisories/blob/master/joomla/session/CVE-2015-8566.yaml
github.com/joomla-framework/session
nvd.nist.gov/vuln/detail/CVE-2015-8566
web.archive.org/web/20160603093633/www.securityfocus.com/bid/79197