- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 1.5.0 through 3.8.11
- Exploit type: XSS
- Reported Date: 2018-July-10
- Fixed Date: 2018-August-28
- CVE Number: CVE-2018-15880
Description
Inadequate output filtering on the user profile page could lead to a stored XSS attack.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.11
Solution
Upgrade to version 3.8.12
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fouad Maakor
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 1.5.0 through 3.8.11
- Exploit type: Malicious file upload
- Reported Date: 2018-August-23
- Fixed Date: 2018-August-28
- CVE Number: CVE-2018-15882
Description
Inadequate checks in the InputFilter class could allow specifically prepared PHAR files to pass the upload filter.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.11
Solution
Upgrade to version 3.8.12
Contact
The JSST at the Joomla! Security Centre.
Reported By: Davide Tampellini
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 1.6.0 through 3.8.8
- Exploit type: XSS
- Reported Date: 2018-May-07
- Fixed Date: 2018-June-26
- CVE Number: CVE-2018-12711
Description
In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url.
Affected Installs
Joomla! CMS versions 1.6.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.
Reported By: Borja Lorenzo, Innotecsystem