- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.26
- Exploit type: CSRF
- Reported Date: 2021-05-07
- Fixed Date: 2021-05-25
- CVE Number: CVE-2021-26034
Description
A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.26
Solution
Upgrade to version 3.9.27
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.26
- Exploit type: CSRF
- Reported Date: 2021-05-07
- Fixed Date: 2021-05-25
- CVE Number: CVE-2021-26033
Description
A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.26
Solution
Upgrade to version 3.9.27
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.26
- Exploit type: XSS
- Reported Date: 2021-03-05
- Fixed Date: 2021-05-25
- CVE Number: CVE-2021-26032
Description
HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.26
Solution
Upgrade to version 3.9.27
Contact
The JSST at the Joomla! Security Centre.
Reported By: Adrian Tiron, Fortbridge