Joomla! Security News

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Moderate
    • Severity: High
    • Versions: 3.8.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-February-28
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9713

    Description

    The sample data plugins lack ACL checks, allowing unauthorized access.

    Affected Installs

    Joomla! CMS versions 3.8.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Sven Hurt, Benjamin Trenkle
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.0.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-February-25
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9714

    Description

    The media form field lacks escaping, leading to a XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Fouad Maakor
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.0.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-February-25
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9711

    Description

    The item_title layout in edit views lacks escaping, leading to a XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Fouad Maakor
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.2.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-March-04
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9712

    Description

    The JSON handler in com_config lacks input validation, leading to XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Mario Korth, Hackmanit
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: Object Injection
    • Reported Date: 2019-January-18
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7743

    Description

    The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:David Jardin (JSST)

Программа "Автоспорт и бизнес тематика"

banerallboss

Приглашаем в телепроект "Реальный Бизнес"

banerallboss

Простой показатель эффективности работы с компанией Реал Босс "

banerallboss

Программа "Готовый бизнес изнутри"

banerallboss

Разработка системы RLS

banerallboss

Участие в аналитических статьях

banerallboss

Декларирование задач клиентов

banerallboss

Управление производством пластиковых карт

banerallboss

Публикации в деловых изданиях

banerallboss