An update to 2.2.7 is available.
Holes:
x) com_ajax access for non authenticated visitors
x) unauthenticated write access to the menu settings, scriptinjection possible, can become active in user or admin sessions (stored XSS)
x) path traversal hole which allows delete actions over the whole joomla directory
x) an open redirect
x) an unprotected template export
There is no CVE number at this point yet.
Holes:
x) com_ajax access for non authenticated visitors
x) unauthenticated write access to the menu settings, scriptinjection possible, can become active in user or admin sessions (stored XSS)
x) path traversal hole which allows delete actions over the whole joomla directory
x) an open redirect
x) an unprotected template export
There is no CVE number at this point yet.