Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.
[20200305] - Core - Incorrect Access Control in com_fields SQL field
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.7.0-3.9.15
- Exploit type: Incorrect Access Control
- Reported Date: 2020-February-28
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10239
Description
Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
Affected Installs
Joomla! CMS versions 3.7.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.
[20200303] - Core - Incorrect Access Control in com_templates
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0-3.9.15
- Exploit type: Incorrect Access Control
- Reported Date: 2020-January-31
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10238
Description
Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.
[20200302] - Core - XSS in Protostar and Beez3
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.15
- Exploit type: XSS
- Reported Date: 2020-February-24
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10242
Description
Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.
[20200301] - Core - CSRF in com_templates image actions
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.2.0-3.9.15
- Exploit type: CSRF
- Reported Date: 2020-February-06
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10241
Description
Missing token checks in the image actions of com_templates causes CSRF vulnerabilities.
Affected Installs
Joomla! CMS versions 3.2.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.
[20200103] - Core - XSS in com_actionlogs
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.9.0-3.9.14
- Exploit type: XSS
- Reported Date: 2019-December-25
- Fixed Date: 2020-January-28
- CVE Number: CVE-2020-8421
Description
Inadequate escaping of usernames allow XSS attacks in com_actionlogs.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.14
Solution
Upgrade to version 3.9.15
Contact
The JSST at the Joomla! Security Centre.
[20200102] - Core - CSRF com_templates LESS compiler
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.0.0-3.9.14
- Exploit type: CSRF
- Reported Date: 2019-December-18
- Fixed Date: 2020-January-28
- CVE Number: CVE-2020-8420
Description
A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.14
Solution
Upgrade to version 3.9.15
Contact
The JSST at the Joomla! Security Centre.
[20200101] - Core - CSRF in batch actions
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.14
- Exploit type: CSRF
- Reported Date: 2019-December-23
- Fixed Date: 2020-January-28
- CVE Number: CVE-2020-8419
Description
Missing token checks in the batch actions of various components causes CSRF vulnerabilities.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.14
Solution
Upgrade to version 3.9.15
Contact
The JSST at the Joomla! Security Centre.
[20191202] - Core - Various SQL injections through configuration parameters
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0 - 3.9.13
- Exploit type: SQL injection
- Reported Date: 2019-December-01
- Fixed Date: 2019-December-17
- CVE Number: CVE-2019-19846
Description
The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.13
Solution
Upgrade to version 3.9.14
Contact
The JSST at the Joomla! Security Centre.
[20191201] - Core - Path Disclosure in framework files
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.8.0 - 3.9.13
- Exploit type: Path Disclosure
- Reported Date: 2019-November-22
- Fixed Date: 2019-December-17
- CVE Number: CVE-2019-19845
Description
Missing access check in framework files could lead to a path disclosure.
Affected Installs
Joomla! CMS versions 3.8.0 - 3.9.13
Solution
Upgrade to version 3.9.14
Contact
The JSST at the Joomla! Security Centre.
[20191002] - Core - Path Disclosure in phpuft8 mapping files
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.6.0 - 3.9.12
- Exploit type: Path Disclosure
- Reported Date: 2019-November-01
- Fixed Date: 2019-November-05
- CVE Number: CVE-2019-18674
Description
Missing access check in the phputf8 mapping files could lead to an path disclosure.
Affected Installs
Joomla! CMS versions 3.6.0 - 3.9.12
Solution
Upgrade to version 3.9.13
Contact
The JSST at the Joomla! Security Centre.