Security Centre

There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla! platform.

Where to Start

Download Documentation Support Report an Issue Volunteer Roadmap

Review Tracker Volunteer Activity Volunteer Report New Issue Roadmap

Download Documentation Support Report an Issue Contribute Roadmap

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
Exploit type: Cache Poisoning
Reported Date: 2024-05-23
Fixed Date: 2024-08-20
CVE Number: CVE-2024-27185

Description

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Shane Edwards

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 3.4.6-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
Exploit type: Open redirect
Reported Date: 2024-03-20
Fixed Date: 2024-08-20
CVE Number: CVE-2024-27184

Description

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

Affected Installs

Joomla! CMS versions 3.4.6-3.10.16-elts,4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Gareth Heyes (PortSwigger Research) & Teodor Ivanov

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
Exploit type: XSS
Reported Date: 2024-06-09
Fixed Date: 2024-07-09
CVE Number: CVE-2024-26278

Description

The Custom Fields component not correctly filter inputs, leading to a XSS vector.

Affected Installs

Joomla! CMS versions 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jesper den Boer

Developer Network™

Where to Start

[20240802] - Core - Cache Poisoning in Pagination

Description

Affected Installs

Solution

Contact

[20240801] - Core - Inadequate validation of internal URLs

Description

Affected Installs

Solution

Contact

[20240705] - Core - XSS in com_fields default field value

Description

Affected Installs

Solution

Contact