There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla! platform.
Where to Start
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 1.5.0 through 3.8.11
- Exploit type: Malicious file upload
- Reported Date: 2018-August-23
- Fixed Date: 2018-August-28
- CVE Number: CVE-2018-15882
Description
Inadequate checks in the InputFilter class could allow specifically prepared PHAR files to pass the upload filter.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.11
Solution
Upgrade to version 3.8.12
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 1.6.0 through 3.8.8
- Exploit type: XSS
- Reported Date: 2018-May-07
- Fixed Date: 2018-June-26
- CVE Number: CVE-2018-12711
Description
In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url.
Affected Installs
Joomla! CMS versions 1.6.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.8.8
- Exploit type: LFI
- Reported Date: 2018-April-23
- Fixed Date: 2018-June-26
- CVE Number: CVE-2018-12712
Description
Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.