Joomla 3.4.6 Fixes Zero-Day Remote Execution Bug Used in the Wild

I harp on this a lot: You can never trust the client (as in “the browser”). In this case, Joomla was not sanitizing User Agent strings before storing them in the database, opening a garage door-sized security hole.