J3.x:Joomla 3.8.13 Security Notes
From Joomla! Documentation
Joomla 3.8.13 Security Notes
New ACL Verification on approving an user after email notification
As of 3.8.13, Joomla is securing the process on approving an user after an email notification by requesting the administrator, who is going to approve the request, to login into the frontend. After the administrator logged in, they are redirected to the activation URL and the account is activated. The main reason is that we have got some reports on "auto approvings", done by antivirus software checking any URL send by email.
Improved security for the Joomla Update Component
As of 3.8.13, Joomla is locking down the Joomla Update Component to Super Administrators only, as this component is by design intended to apply changes to the core of the CMS and by also processes sensitive data related to site updates. Therefore we decided that this component and its feature should be restricted to Super Administrators only.