Joomla maintainers released a fix for a critical SQL injection flaw, tracked as CVE-2017-8917, that can be exploited by a remote attacker to hijack websites. The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7.0. The vulnerable component borrows views from an admin-side component that has the same name, it is a publicly accessible component, this means that anyone can exploit the vulnerability without needing a privileged account on the vulnerable website.”]
Source: https://securityaffairs.co/wordpress/59204/hacking/joomla-cve-2017-8917-vulnerability.html