Joomla! Developer Network™

Download
Launch

News

[20231101] - Core - Exposure of environment variables

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 1.6.0-4.4.0, 5.0.0
  • Exploit type: Information Disclosure
  • Reported Date: 2023-07-14
  • Fixed Date: 2023-11-21
  • CVE Number: CVE-2023-40626

Description

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Contact

The JSST at the Joomla! Security Centre.

[20230502] - Core - Bruteforce prevention within the mfa screen

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Lack of rate limiting
  • Reported Date: 2023-04-29
  • Fixed Date: 2023-05-30
  • CVE Number: CVE-2023-23755

Description

The lack of rate limiting allows brute force attacks against MFA methods.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20230501] - Core - Open Redirects and XSS within the mfa selection

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Open Redirect / XSS
  • Reported Date: 2023-02-28
  • Fixed Date: 2023-05-28
  • CVE Number: CVE-2023-23754

Description

Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Srpopty from huntr.dev

[20230201] - Core - Improper access check in webservice endpoints

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: High
  • Probability: High
  • Versions: 4.0.0-4.2.7
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-02-13
  • Fixed Date: 2023-02-16
  • CVE Number: CVE-2023-23752

Description

An improper access check allows unauthorized access to webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.7

Solution

Upgrade to version 4.2.8

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Zewei Zhang from NSFOCUS TIANJI Lab

[20221101] - Core - RXSS through reflection of user input in com_media

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.4
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-28
  • Fixed Date: 2022-11-08
  • CVE Number: CVE-2022-27914

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media..

Affected Installs

Joomla! CMS versions 4.0.0-4.2.4

Solution

Upgrade to version 4.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By: https://github.com/Denitz

Page 1 of 51