The essential news about content management systems and mobile technology. Powered by Joocial, XT Search for Algolia, and SlimApps.

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 1.7.0-3.9.15
  • Exploit type: SQL Injection
  • Reported Date: 2020-March-9
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10243

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.

Affected Installs

Joomla! CMS versions 1.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre....

Reported By: Sam Thomas, Pentest.co.uk

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-28
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10239

Description

Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

Affected Installs

Joomla! CMS versions 3.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre....

Reported By: HOÀNG KIÊN

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-January-31
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10238

Description

Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre....

Reported By: HOÀNG KIÊN

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: Other
  • Reported Date: 2020-February-07
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10240

Description

Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre....

Reported By: Lee Thao from Viettel Cyber Security

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: XSS
  • Reported Date: 2020-February-24
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10242

Description

Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre....

Reported By: Pham Van Khanh

Read more

  1. [20200301] - Core - CSRF in com_templates image actions
  2. [20200103] - Core - XSS in com_actionlogs
  3. [20200102] - Core - CSRF com_templates LESS compiler
  4. [20200101] - Core - CSRF in batch actions

© 2020 Extly, CB - All rights reserved.