Joomla Security Announcements

Security Patch information from joomla.org.  Joomla User Group Chicago North (JUGCN) is not responsible for the content.

 

  1. [20210103] - Core - XSS in com_tags image parameters

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions:3.1.0 - 3.9.23
    • Exploit type: XSS
    • Reported Date: 2020-09-01
    • Fixed Date: 2021-01-12
    • CVE Number: CVE-2021-23125

    Description

    Lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.

    Affected Installs

    Joomla! CMS versions 3.1.0 - 3.9.23

    Solution

    Upgrade to version 3.9.24

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Šarūnas Paulauskas

  2. [20210102] - Core - XSS in mod_breadcrumbs aria-label attribute

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions:3.9.0 - 3.9.23
    • Exploit type: XSS
    • Reported Date: 2020-09-01
    • Fixed Date: 2021-01-12
    • CVE Number: CVE-2021-23124

    Description

    Lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.

    Affected Installs

    Joomla! CMS versions 3.9.0 - 3.9.23

    Solution

    Upgrade to version 3.9.24

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Šarūnas Paulauskas

  3. [20210101] - Core - com_modules exposes module names

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions:3.0.0 - 3.9.23
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-07-07
    • Fixed Date: 2021-01-12
    • CVE Number: CVE-2021-23123

    Description

    Lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.23

    Solution

    Upgrade to version 3.9.24

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Phil Taylor

  4. [20201107] - Core - Write ACL violation in multiple core views

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions:1.7.0 - 3.9.22
    • Exploit type: ACL Violation
    • Reported Date: 2018-11-04
    • Fixed Date: 2020-11-24
    • CVE Number: CVE-2020-35616

    Description

    Lack of input validation while handling ACL rulesets can cause write ACL violations.

    Affected Installs

    Joomla! CMS versions 1.7.0 - 3.9.22

    Solution

    Upgrade to version 3.9.23

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Elisa Foltyn, Benjamin Trenkle

  5. [20201106] - Core - CSRF in com_privacy emailexport feature

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.9.0-3.9.22
    • Exploit type: CSRF
    • Reported Date: 2020-10-08
    • Fixed Date: 2020-11-24
    • CVE Number: CVE-2020-35615

    Description

    A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

    Affected Installs

    Joomla! CMS versions 3.9.0 - 3.9.22

    Solution

    Upgrade to version 3.9.23

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Lee Thao from Viettel Cyber Security
Ask JUGCN!
×

Got a Joomla! Question? Ask JUGCN

Ask away... we will get back to you within 24 hours

Please let us know your message.

Please let us know your name.

Please let us know your email address.

Invalid Input