• Project: Joomla!
• SubProject: CMS
• Impact: Low
• Severity: Low
• Versions: 2.5.0-3.9.18
• Exploit type: Insecure Permissions
• Reported Date: 2020-April-23
• Fixed Date: 2020-June-02
• CVE Number: CVE-2020-XXX

Description

The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre....

This meeting of the Joomla! Compliance Team has been held on May 27, 2020 at 16:30 CET on Glip. 

Participants 

In attendance: 

• Donata Kalnenaite
• Sandra Decoux
• Luca Marzo
• Sander Potjer
• Roland Dalmulder

Discussion outline 

• Donata drafted an article on contact forms and GDPR for the Joomla Community Magazine; 
• Roland stated that there are some issues with IDP and the further implementation of the IDP will be postponed until those issues are resolved. He will also work on the CLI script that will aid in data subject requests; 
• Sander is working on usability improvements for the IDP; and 
• Luca will follow up with the Webmasters Team on the property assessments that still need to be completed. 

• Project: Joomla!
• SubProject: CMS
• Impact: Moderate
• Severity: Low
• Versions: 3.0.0-3.9.18
• Exploit type: XSS
• Reported Date: 2020-May-06
• Fixed Date: 2020-June-02
• CVE Number: CVE-2020-XXX

Description

Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre....

Information:
The webmasters team mainly consists of leaders and liaisons from other teams, with the purpose to effectively work together on all aspects of our properties and infrastructure.
The team meets as needed, because managing the properties is a daily task and communication is done through Glip, Mails and ADoodle.

Our reports will include general information, actions performed and motions taken over a period of time.
The reports will not be about just one meeting which is planned every month like most teams.

General:

• The TL requested team members to supply feedback on the standardization of Joomla Properties Backup structure and after processing a motion was conducted.
  
• The TL requested the team to supply feedback on the standardization of Joomla User Configuration settings, like password length, characters, etc.
  
• The TL found a data breach in one of the properties,