• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • Documentation
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • Developer Network
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

[20231101] - Core - Exposure of environment variables

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 1.6.0-4.4.0, 5.0.0
  • Exploit type: Information Disclosure
  • Reported Date: 2023-07-14
  • Fixed Date: 2023-11-21
  • CVE Number: CVE-2023-40626

Description

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Contact

The JSST at the Joomla! Security Centre.

[20230502] - Core - Bruteforce prevention within the mfa screen

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Lack of rate limiting
  • Reported Date: 2023-04-29
  • Fixed Date: 2023-05-30
  • CVE Number: CVE-2023-23755

Description

The lack of rate limiting allows brute force attacks against MFA methods.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20230501] - Core - Open Redirects and XSS within the mfa selection

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Open Redirect / XSS
  • Reported Date: 2023-02-28
  • Fixed Date: 2023-05-28
  • CVE Number: CVE-2023-23754

Description

Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Srpopty from huntr.dev
  1. You are here:  
  2. Home
  3. News
  4. Security Centre

Joomla! CMS

  • Current Release Joomla! CMS 3 4.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 2.x
  • Development Status

Resources

  • Development Strategy
  • Security Announcements
  • Report Security Issues
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Twitter
  • Joomla! on Facebook
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • Docs
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in

© 2005 - 2023 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.