Security Announcements
|
|
-
[20190901] - Core - XSS in logo parameter of default templates
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.11
- Exploit type: XSS
- Reported Date: 2019-August-28
- Fixed Date: 2019-September-24
- CVE Number: CVE-2019-16725
Description
Inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.11
Solution
Upgrade to version 3.9.12
Contact
The JSST at the Joomla! Security Centre.
Reported By: Aswin M Guptha
-
[20190801] - Core - Hardening com_contact contact form
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 1.6.2 - 3.9.10
- Exploit type: Incorrect Access Control
- Reported Date: 2019-April-09
- Fixed Date: 2019-August-13
- CVE Number: CVE-2019-15028
Description
Inadequate checks in com_contact could allowed mail submission in disabled forms.
Affected Installs
Joomla! CMS versions 1.6.2 - 3.9.10
Solution
Upgrade to version 3.9.11
Contact
The JSST at the Joomla! Security Centre.
Reported By: Sergey Brester
-
[20190701] - Core - Filter attribute in subform fields allows remote code execution
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.9.7 - 3.9.8
- Exploit type: Remote Code Execution
- Reported Date: 2019-June-20
- Fixed Date: 2019-July-09
- CVE Number: CVE-2019-14654
Description
Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
Affected Installs
Joomla! CMS versions 3.9.7 - 3.9.8
Solution
Upgrade to version 3.9.9
Contact
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle, JSST
-
[20190603] - Core - ACL hardening of com_joomlaupdate
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.8.13 through 3.9.6
- Exploit type: Incorrect Access Control
- Reported Date: 2019-April-10
- Fixed Date: 2019-June-11
- CVE Number: CVE-2019-12764
Description
The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
Affected Installs
Joomla! CMS versions 3.8.13 through 3.9.6
Solution
Upgrade to version 3.9.7
Contact
The JSST at the Joomla! Security Centre.
Â
-
[20190602] - Core - XSS in subform field
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.6.0 through 3.9.6
- Exploit type: XSS
- Reported Date: 2019-January-01
- Fixed Date: 2019-June-11
- CVE Number: CVE-2019-12766
Description
The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors.
Affected Installs
Joomla! CMS versions 3.6.0 through 3.9.6
Solution
Upgrade to version 3.9.7
Contact
The JSST at the Joomla! Security Centre.
Reported By: Volkmar Schlothauer, ghsvs.de
|