- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 1.5.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-July-27
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS Installer
- Severity: High
- Versions: 1.0.0 through 3.7.3
- Exploit type: Lack of Ownership Verification
- Reported Date: 2017-Apr-06
- Fixed Date: 2017-July-25
- CVE Number: CVE-2017-11364
Description
The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.
Please note: Already installed sites are not affected, as this issue is limited to the installer application!
Affected Installs
Joomla! CMS versions 1.0.0 through 3.7.3
Solution
Upgrade to version 3.7.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 1.5.0 through 3.7.3
- Exploit type: XSS
- Reported Date: 2017-April-26
- Fixed Date: 2017-July-25
- CVE Number: CVE-2017-11612
Description
Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.7.3
Solution
Upgrade to version 3.7.4
Contact
The JSST at the Joomla! Security Centre.