• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20200602] - Core - Inconsistent default textfilter settings

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0-3.9.18
  • Exploit type: Insecure Permissions
  • Reported Date: 2020-April-23
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-13763

Description

The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: Brian Teeman

[20200601] - Core - XSS in modules heading tag option

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.18
  • Exploit type: XSS
  • Reported Date: 2020-May-06
  • Fixed Date: 2020-June-02
  • CVE Number: CVE-2020-13761

Description

Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18

Solution

Upgrade to version 3.9.19

Contact

The JSST at the Joomla! Security Centre.

Reported By: Bui Duc Anh Khoa from Viettel Cyber Security

[20200403] - Core - Incorrect access control in com_users access level deletion function

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11889

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200402] - Core - Missing checks for the root usergroup in usergroup table

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-27
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11890

Description

Inproper input validations in the usergroup table class could lead to a broken ACL configuration.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200401] - Core - Incorrect access control in com_users access level editing function

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.8.8 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11891

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.

Affected Installs

Joomla! CMS versions 3.8.8 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200306] - Core - SQL injection in Featured Articles menu parameters

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 1.7.0-3.9.15
  • Exploit type: SQL Injection
  • Reported Date: 2020-March-9
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10243

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.

Affected Installs

Joomla! CMS versions 1.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sam Thomas, Pentest.co.uk

[20200304] - Core - Identifier collisions in com_users

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: Other
  • Reported Date: 2020-February-07
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10240

Description

Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao from Viettel Cyber Security

[20200305] - Core - Incorrect Access Control in com_fields SQL field

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-28
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10239

Description

Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

Affected Installs

Joomla! CMS versions 3.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200303] - Core - Incorrect Access Control in com_templates

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-January-31
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10238

Description

Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200302] - Core - XSS in Protostar and Beez3

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: XSS
  • Reported Date: 2020-February-24
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10242

Description

Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Pham Van Khanh

[20200301] - Core - CSRF in com_templates image actions

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.2.0-3.9.15
  • Exploit type: CSRF
  • Reported Date: 2020-February-06
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10241

Description

Missing token checks in the image actions of com_templates causes CSRF vulnerabilities.

Affected Installs

Joomla! CMS versions 3.2.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200103] - Core - XSS in com_actionlogs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.9.0-3.9.14
  • Exploit type: XSS
  • Reported Date: 2019-December-25
  • Fixed Date: 2020-January-28
  • CVE Number: CVE-2020-8421

Description

Inadequate escaping of usernames allow XSS attacks in com_actionlogs.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.14

Solution

Upgrade to version 3.9.15

Contact

The JSST at the Joomla! Security Centre.

Reported By: Mayank Kumbhar from Techjoomla

[20200102] - Core - CSRF com_templates LESS compiler

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.14
  • Exploit type: CSRF
  • Reported Date: 2019-December-18
  • Fixed Date: 2020-January-28
  • CVE Number: CVE-2020-8420

Description

A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.14

Solution

Upgrade to version 3.9.15

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao from Viettel Cyber Security

[20200101] - Core - CSRF in batch actions

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.14
  • Exploit type: CSRF
  • Reported Date: 2019-December-23
  • Fixed Date: 2020-January-28
  • CVE Number: CVE-2020-8419

Description

Missing token checks in the batch actions of various components causes CSRF vulnerabilities.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.14

Solution

Upgrade to version 3.9.15

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao from Viettel Cyber Security

[20191202] - Core - Various SQL injections through configuration parameters

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0 - 3.9.13
  • Exploit type: SQL injection
  • Reported Date: 2019-December-01
  • Fixed Date: 2019-December-17
  • CVE Number: CVE-2019-19846

Description

The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.13

Solution

Upgrade to version 3.9.14

Contact

The JSST at the Joomla! Security Centre.

Reported By: ka1n4t

[20191201] - Core - Path Disclosure in framework files

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.8.0 - 3.9.13
  • Exploit type: Path Disclosure
  • Reported Date: 2019-November-22
  • Fixed Date: 2019-December-17
  • CVE Number: CVE-2019-19845

Description

Missing access check in framework files could lead to a path disclosure.

Affected Installs

Joomla! CMS versions 3.8.0 - 3.9.13

Solution

Upgrade to version 3.9.14

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao, Viettel Cyber Security

[20191002] - Core - Path Disclosure in phpuft8 mapping files

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.6.0 - 3.9.12
  • Exploit type: Path Disclosure
  • Reported Date: 2019-November-01
  • Fixed Date: 2019-November-05
  • CVE Number: CVE-2019-18674

Description

Missing access check in the phputf8 mapping files could lead to an path disclosure.

Affected Installs

Joomla! CMS versions 3.6.0 - 3.9.12

Solution

Upgrade to version 3.9.13

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

[20191001] - Core - CSRF in com_template overrides view

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.2.0-3.9.12
  • Exploit type: CSRF
  • Reported Date: 2019-October-10
  • Fixed Date: 2019-November-05
  • CVE Number: CVE-2019-18650

Description

A missing token check in com_template causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.2.0 - 3.9.12

Solution

Upgrade to version 3.9.13

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao from Viettel Cyber Security

[20190901] - Core - XSS in logo parameter of default templates

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.11
  • Exploit type: XSS
  • Reported Date: 2019-August-28
  • Fixed Date: 2019-September-24
  • CVE Number: CVE-2019-16725

Description

Inadequate escaping allowed XSS attacks using the logo parameter of the default templates.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.11

Solution

Upgrade to version 3.9.12

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aswin M Guptha

[20190801] - Core - Hardening com_contact contact form

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 1.6.2 - 3.9.10
  • Exploit type: Incorrect Access Control
  • Reported Date: 2019-April-09
  • Fixed Date: 2019-August-13
  • CVE Number: CVE-2019-15028

Description

Inadequate checks in com_contact could allowed mail submission in disabled forms.

Affected Installs

Joomla! CMS versions 1.6.2 - 3.9.10

Solution

Upgrade to version 3.9.11

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sergey Brester

[20190701] - Core - Filter attribute in subform fields allows remote code execution

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.9.7 - 3.9.8
  • Exploit type: Remote Code Execution
  • Reported Date: 2019-June-20
  • Fixed Date: 2019-July-09
  • CVE Number: CVE-2019-14654

Description

Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

Affected Installs

Joomla! CMS versions 3.9.7 - 3.9.8

Solution

Upgrade to version 3.9.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST

[20190603] - Core - ACL hardening of com_joomlaupdate

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.8.13 through 3.9.6
  • Exploit type: Incorrect Access Control
  • Reported Date: 2019-April-10
  • Fixed Date: 2019-June-11
  • CVE Number: CVE-2019-12764

Description

The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.

Affected Installs

Joomla! CMS versions 3.8.13 through 3.9.6

Solution

Upgrade to version 3.9.7

Contact

The JSST at the Joomla! Security Centre.

 

[20190602] - Core - XSS in subform field

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.6.0 through 3.9.6
  • Exploit type: XSS
  • Reported Date: 2019-January-01
  • Fixed Date: 2019-June-11
  • CVE Number: CVE-2019-12766

Description

The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors.

Affected Installs

Joomla! CMS versions 3.6.0 through 3.9.6

Solution

Upgrade to version 3.9.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Volkmar Schlothauer, ghsvs.de

[20190601] - Core - CSV injection in com_actionlogs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0 through 3.9.6
  • Exploit type: CSV Injection
  • Reported Date: 2019-April-29
  • Fixed Date: 2019-June-11
  • CVE Number: CVE-2019-12765

Description

The CSV export of com_actionslogs is vulnerable to CSV injection.

Affected Installs

Joomla! CMS versions 3.9.0 through 3.9.6

Solution

Upgrade to version 3.9.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)

[20190502] - Core - By-passing protection of Phar Stream Wrapper Interceptor

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.3 through 3.9.5
  • Exploit type: Object Injection
  • Reported Date: 2019-March-27
  • Fixed Date: 2019-May-07

Description

In Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core. In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. The used implementation however is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

Affected Installs

Joomla! CMS versions 3.9.3 through 3.9.5

Solution

Upgrade to version 3.9.6

Contact

The JSST at the Joomla! Security Centre.

Reported By: Daniel le Gall, Fix coordinated by Oliver Hader from TYPO3

Page 6 of 13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.