Joomla! Developer Network

There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla! platform.

Where to Start

Download Documentation Support Report an Issue Volunteer Roadmap

Review Tracker Volunteer Activity Volunteer Report New Issue Roadmap

Download Documentation Support Report an Issue Contribute Roadmap

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 3.2.0 - 3.9.24
Exploit type: Insecure Randomness
Reported Date: 2021-01-12
Fixed Date: 2021-03-02
CVE Number: CVE-2021-23126, CVE-2021-23127

Description

Usage of the insecure rand() function within the process of generating the 2FA secret.
Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.

Additional details as well as a more contexts for exising sites can be found in the docs: https://docs.joomla.org/J3.x:Changes_to_the_2FA_token_generation_recommendations_for_existing_sites

This issue has been coordinated with Akeeba Ltd as contributor of the original FOF codebase to the core.

Affected Installs

Joomla! CMS versions 3.2.0 - 3.9.24

Solution

Upgrade to version 3.9.25

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hanno Böck

Developer Network™

Where to Start

[20210301] - Core - Insecure randomness within 2FA secret generation

Description

Affected Installs

Solution

Contact