Developer Network™ There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla! platform.
Where to Start
- Project: Joomla!
- SubProject: All
- Severity: Medium
- Versions: 1.6.3 and all earlier 1.6.x versions
- Exploit type: XSS
- Reported Date: 2011-May-25
- Fixed Date: 2011-June-27
Description
Inadequate filtering leads to XSS vulnerability.
Affected Installs
Joomla! version 1.6.3 and all earlier 1.6.x versions
Solution
Upgrade to the latest Joomla! version (1.6.4 or later)
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 1.5.15 and all previous 1.5 releases
- Exploit type: Unauthorised Access
- Reported Date: 2010-Jan-07
- Fixed Date: 2010-Apr-23
Description
When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.
Affected Installs
All 1.5.x installs prior to and including 1.5.15 are affected.
Solution
Upgrade to the latest Joomla! version (1.5.16 or later)
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 1.5.15 and all previous 1.5 releases
- Exploit type: Session fixation
- Reported Date: 2010-Mar-25
- Fixed Date: 2010-Apr-23
Description
Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user.
Affected Installs
All 1.5.x installs prior to and including 1.5.15 are affected.
Solution
Upgrade to the latest Joomla! version (1.5.16 or later)
Contact
The JSST at the Joomla! Security Centre.