This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-April-10
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-11022 and CVE-2020-11023

Description

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others."

The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-May-06
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-13762

Description

Incorrect input validation of the module tag option in com_modules allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: Bui Duc Anh Khoa from Viettel Cyber Security
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0-3.9.18
  • Exploit type: Insecure Permissions
  • Reported Date: 2020-April-23
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-13763

Description

The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: Brian Teeman
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-May-06
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-13761

Description

Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: Bui Duc Anh Khoa from Viettel Cyber Security
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11889

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-27
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11890

Description

Inproper input validations in the usergroup table class could lead to a broken ACL configuration.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.8.8 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11891

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.

Affected Installs

Joomla! CMS versions 3.8.8 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 1.7.0-3.9.15
  • Exploit type: SQL Injection
  • Reported Date: 2020-March-9
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10243

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.

Affected Installs

Joomla! CMS versions 1.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sam Thomas, Pentest.co.uk
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: Other
  • Reported Date: 2020-February-07
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10240

Description

Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao from Viettel Cyber Security
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-28
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10239

Description

Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

Affected Installs

Joomla! CMS versions 3.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC