Joomla! Security News

  1. [20190801] - Core - Hardening com_contact contact form

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 1.6.2 - 3.9.10
    • Exploit type: Incorrect Access Control
    • Reported Date: 2019-April-09
    • Fixed Date: 2019-August-13
    • CVE Number: CVE-2019-15028

    Description

    Inadequate checks in com_contact could allowed mail submission in disabled forms.

    Affected Installs

    Joomla! CMS versions 1.6.2 - 3.9.10

    Solution

    Upgrade to version 3.9.11

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Sergey Brester

  2. [20190701] - Core - Filter attribute in subform fields allows remote code execution

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 3.9.7 - 3.9.8
    • Exploit type: Remote Code Execution
    • Reported Date: 2019-June-20
    • Fixed Date: 2019-July-09
    • CVE Number: CVE-2019-14654

    Description

    Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

    Affected Installs

    Joomla! CMS versions 3.9.7 - 3.9.8

    Solution

    Upgrade to version 3.9.9

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Benjamin Trenkle, JSST

  3. [20190603] - Core - ACL hardening of com_joomlaupdate

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.8.13 through 3.9.6
    • Exploit type: Incorrect Access Control
    • Reported Date: 2019-April-10
    • Fixed Date: 2019-June-11
    • CVE Number: CVE-2019-12764

    Description

    The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.

    Affected Installs

    Joomla! CMS versions 3.8.13 through 3.9.6

    Solution

    Upgrade to version 3.9.7

    Contact

    The JSST at the Joomla! Security Centre.

     

  4. [20190602] - Core - XSS in subform field

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Moderate
    • Severity: Low
    • Versions: 3.6.0 through 3.9.6
    • Exploit type: XSS
    • Reported Date: 2019-January-01
    • Fixed Date: 2019-June-11
    • CVE Number: CVE-2019-12766

    Description

    The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors.

    Affected Installs

    Joomla! CMS versions 3.6.0 through 3.9.6

    Solution

    Upgrade to version 3.9.7

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Volkmar Schlothauer, ghsvs.de

  5. [20190601] - Core - CSV injection in com_actionlogs

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.9.0 through 3.9.6
    • Exploit type: CSV Injection
    • Reported Date: 2019-April-29
    • Fixed Date: 2019-June-11
    • CVE Number: CVE-2019-12765

    Description

    The CSV export of com_actionslogs is vulnerable to CSV injection.

    Affected Installs

    Joomla! CMS versions 3.9.0 through 3.9.6

    Solution

    Upgrade to version 3.9.7

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)

About me

JSN Ares suit perfectly for any portfolio websites or mobile applications website. JSN Ares has responsive layout and it fully support K2 as well as Kunena.

Get Newsletter

Joomla forms builder by JoomlaShine

Get in touch

  • Add : 26 rue du Chalet, 75010 Paris - France
  • Fax : +00 (0)1 23 45 6789
  • Mobile: +00 (0)1 23 45 6789
  • Email : This email address is being protected from spambots. You need JavaScript enabled to view it.

The Joomla! name is used under a limited license from Open Source Matters in the United States and other countries. JoomlaShine.com is not affiliated with or endorsed by Open Source Matters or the Joomla! Project.

Copyright © 2008 - 2015 JoomlaShine.com. All rights reserved. Many features demonstrated on this website are available only in JSN Ares PRO Edition.

All stock photos used on this JSN Ares demo site are only for demo purposes and not included in the template package.

TOP
Template by JoomlaShine