The Joomla! content management system has a previously unknown LDAP injection vulnerability that could allow remote attackers to leak the super user password and take over any Joomla! installation that uses LDAP for authentication, which affects installations with version 1.5 <= 3.7.5 installed and configured to use LDAP for authentication. An attacker can exploit this vulnerability by sending a row of payloads that guess the credentials character by character, allowing them to extract one bit per request from the LDAP server, resulting in a highly efficient blind LDAP injection attack. Joomla! has released a fixed version, and users are recommended to update immediately to version 3.8.