News
[20250901] - Core - Inadequate content filtering within the checkAttribute filter code
- Details
- Project: Joomla! / Joomla! Framework
- SubProject: CMS / filter
- Impact: Moderate
- Severity: Moderate
- Probability: Moderate
- Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
- Exploit type: XSS
- Reported Date: 2025-08-03
- Fixed Date: 2025-09-30
- CVE Number: CVE-2025-54476
Description
Affected Installs
Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
Solution
Upgrade to version 4.4.14 or 5.3.4
Contact
The JSST at the Joomla! Security Centre.
[20250902] - Core - User-Enumeration in passkey authentication method
- Details
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Probability: Low
- Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
- Exploit type: User Enumeration
- Reported Date: 2025-09-04
- Fixed Date: 2025-09-30
- CVE Number: CVE-2025-54477
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3
Solution
Upgrade to version 4.4.14 or 5.3.4
Contact
The JSST at the Joomla! Security Centre.
[20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package
- Details
- Project: Joomla!
- SubProject: Framework
- Impact: High
- Severity: Low
- Probability: Low
- Versions: 1.0.0-2.1.1, 3.0.0-3.3.1
- Exploit type: SQL Injection
- Reported Date: 2025-03-17
- Fixed Date: 2025-04-02
- CVE Number: CVE-2025-25226
Description
Affected Installs
Database Package version: 1.0.0-2.1.1, 3.0.0-3.3.1
Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Solution
Upgrade to version 2.2.0 or 3.4.0
Contact
The JSST at the Joomla! Security Centre.
[20250402] - Core - MFA Authentication Bypass
- Details
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Moderate
- Probability: Moderate
- Versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
- Exploit type: Authentication Bypass
- Reported Date: 2025-03-20
- Fixed Date: 2025-04-08
- CVE Number: CVE-2025-25227
Description
Affected Installs
Joomla! CMS versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
Solution
Upgrade to version 4.4.13 or 5.2.6
Contact
The JSST at the Joomla! Security Centre.
[20250301] - Core - Malicious file uploads via Media Manager
- Details
- Project: Joomla!
- SubProject: CMS
- Impact: Critical
- Severity: Low
- Probability: Low
- Versions: 4.0.0-4.4.11, 5.0.0-5.2.4
- Exploit type: Malicious file upload
- Reported Date: 2025-02-25
- Fixed Date: 2025-03-10
- CVE Number: CVE-2025-22213
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.11, 5.0.0-5.2.4
Solution
Upgrade to version 4.4.12 or 5.2.5
Contact
The JSST at the Joomla! Security Centre.