The essential news about content management systems and mobile technology. Powered by Joocial, XT Search for Algolia, and SlimApps.

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions:3.1.0 - 3.9.23
  • Exploit type: XSS
  • Reported Date: 2020-09-01
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23125

Description

Lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.

Affected Installs

Joomla! CMS versions 3.1.0 - 3.9.23

Solution

Upgrade to version 3.9.24

Contact

The JSST at the Joomla! Security Centre....

Reported By: Šarūnas Paulauskas

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions:3.9.0 - 3.9.23
  • Exploit type: XSS
  • Reported Date: 2020-09-01
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23124

Description

Lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.23

Solution

Upgrade to version 3.9.24

Contact

The JSST at the Joomla! Security Centre....

Reported By: Šarūnas Paulauskas

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions:1.7.0 - 3.9.22
  • Exploit type: ACL Violation
  • Reported Date: 2018-11-04
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-xxx (TBA)

Description

Lack of input validation while handling ACL rulesets can cause write ACL violations.

Affected Installs

Joomla! CMS versions 1.7.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre....

Reported By:  Elisa Foltyn, Benjamin Trenkle

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions:3.0.0 - 3.9.23
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-07-07
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23123

Description

Lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.23

Solution

Upgrade to version 3.9.24

Contact

The JSST at the Joomla! Security Centre....

Reported By: Phil Taylor

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0-3.9.22
  • Exploit type: CSRF
  • Reported Date: 2020-10-08
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-xxx (TBA)

Description

A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre....

Reported By:  Lee Thao from Viettel Cyber Security

Read more

  1. [20201105] - Core - User Enumeration in backend login
  2. [20201104] - Core - SQL injection in com_users list view
  3. [20201103] - Core - Path traversal in mod_random_image
  4. [20201102] - Core - Disclosure of secrets in Global Configuration page

© 2021 Extly, CB - All rights reserved.