The vulnerability stems from improper neutralization of browser information (CWE-74) stored in session values. The Joomla security advisory explicitly states browser information wasn't filtered during session storage. Session initialization typically handles User-Agent headers, and PHP's unserialize() operation on attacker-controlled data leads to object injection. The patched version 1.3.1 would have added filtering in this initialization path, aligning with the vulnerability pattern of unsafe session data handling.