The essential news about content management systems and mobile technology. Powered by Joocial, XT Search for Algolia, and SlimApps.

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 through 3.9.3
  • Exploit type: XSS
  • Reported Date: 2019-February-25
  • Fixed Date: 2019-March-12
  • CVE Number: CVE-2019-9714

Description

The media form field lacks escaping, leading to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.9.3

Solution

Upgrade to version 3.9.4

Contact

The JSST at the Joomla! Security Centre....

Reported By: Fouad Maakor

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: High
  • Versions: 3.8.0 through 3.9.3
  • Exploit type: XSS
  • Reported Date: 2019-February-28
  • Fixed Date: 2019-March-12
  • CVE Number: CVE-2019-9713

Description

The sample data plugins lack ACL checks, allowing unauthorized access.

Affected Installs

Joomla! CMS versions 3.8.0 through 3.9.3

Solution

Upgrade to version 3.9.4

Contact

The JSST at the Joomla! Security Centre....

Reported By: Sven Hurt, Benjamin Trenkle

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.9.2
  • Exploit type: XSS
  • Reported Date: 2018-October-07
  • Fixed Date: 2019-February-12
  • CVE Number: CVE-2019-7740

Description

Inadequate parameter handling in JS code could lead to an XSS attack vector.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.9.2

Solution

Upgrade to version 3.9.3

Contact

The JSST at the Joomla! Security Centre....

Reported By: Dimitris Grammatikogiannis

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.9.2
  • Exploit type: Object Injection
  • Reported Date: 2019-January-18
  • Fixed Date: 2019-February-12
  • CVE Number: CVE-2019-7743

Description

The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.9.2

Solution

Upgrade to version 3.9.3

Contact

The JSST at the Joomla! Security Centre....

Reported By: David Jardin (JSST)

Read more

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.9.2
  • Exploit type: XSS
  • Reported Date: 2019-January-16
  • Fixed Date: 2019-February-12
  • CVE Number: CVE-2019-7741

Description

Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.9.2

Solution

Upgrade to version 3.9.3

Contact

The JSST at the Joomla! Security Centre....

Reported By: Antonin Steinhauser

Read more

  1. [20190203] - Core - Additional warning in the Global Configuration textfilter settings
  2. [20190202] - Core - Browserside mime-type sniffing causes XSS attack vectors
  3. [20190201] - Core - Lack of URL filtering in various core components
  4. [20190104] - Core - Stored XSS issue in the Global Configuration help url

© 2020 Extly, CB - All rights reserved.