The essential news about content management systems and mobile technology. Powered by Joocial, XT Search for Algolia, and SlimApps.

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.7.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-May-08
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-xxx

Description

Missing token checks in com_postinstall cause CSRF vulnerabilities.

Affected Installs

Joomla! CMS versions 3.7.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre....

Reported By: Lee Thao from Viettel Cyber Security

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-May-06
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-XXX

Description

Incorrect input validation of the module tag option in com_modules allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre....

Reported By: Lee Thao from Viettel Cyber Security

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-May-06
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-XXX

Description

Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre....

Reported By: Lee Thao from Viettel Cyber Security

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0-3.9.18
  • Exploit type: Insecure Permissions
  • Reported Date: 2020-April-23
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-XXX

Description

The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre....

Reported By: Brain Teeman

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11889

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre....

Reported By: Hoang Kien from VSEC

Read more

  1. [20200402] - Core - Missing checks for the root usergroup in usergroup table
  2. [20200401] - Core - Incorrect access control in com_users access level editing function
  3. [20200306] - Core - SQL injection in Featured Articles menu parameters
  4. [20200305] - Core - Incorrect Access Control in com_fields SQL field

© 2021 Extly, CB - All rights reserved.