The Session package 1.x before 1.3.1 for Joomla! Framework allows remote attackers to execute arbitrary code via unspecified session values. (CVSS:7.5) (Last Update:2015-12-17)