Developer Network™ - Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.7.0-3.9.18
- Exploit type: CSRF
- Reported Date: 2020-May-08
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13760
Description
Missing token checks in com_postinstall cause CSRF vulnerabilities.
Affected Installs
Joomla! CMS versions 3.7.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-April-10
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-11022 and CVE-2020-11023
Description
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others."
The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-May-06
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13762
Description
Incorrect input validation of the module tag option in com_modules allow XSS attacks.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.