The Session package 1.x prior to 1.3.1 for Joomla! Framework allows remote malicious users to execute arbitrary code via unspecified session values.
joomla session 1.3.0