This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.
Joomla! CMS versions 2.5.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.
Joomla! CMS versions 3.0.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
Joomla! CMS versions 2.5.0 - 3.9.16
Upgrade to version 3.9.17
The JSST at the Joomla! Security Centre.
Inproper input validations in the usergroup table class could lead to a broken ACL configuration.
Joomla! CMS versions 2.5.0 - 3.9.16
Upgrade to version 3.9.17
The JSST at the Joomla! Security Centre.
Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
Joomla! CMS versions 3.8.8 - 3.9.16
Upgrade to version 3.9.17
The JSST at the Joomla! Security Centre.
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.
Joomla! CMS versions 1.7.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.
Joomla! CMS versions 3.0.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
Joomla! CMS versions 3.7.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
Joomla! CMS versions 2.5.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.
Joomla! CMS versions 3.0.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Missing token checks in the image actions of com_templates causes CSRF vulnerabilities.
Joomla! CMS versions 3.2.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Inadequate escaping of usernames allow XSS attacks in com_actionlogs.
Joomla! CMS versions 3.9.0 - 3.9.14
Upgrade to version 3.9.15
The JSST at the Joomla! Security Centre.
A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
Joomla! CMS versions 3.0.0 - 3.9.14
Upgrade to version 3.9.15
The JSST at the Joomla! Security Centre.
Missing token checks in the batch actions of various components causes CSRF vulnerabilities.
Joomla! CMS versions 3.0.0 - 3.9.14
Upgrade to version 3.9.15
The JSST at the Joomla! Security Centre.
The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
Joomla! CMS versions 2.5.0 - 3.9.13
Upgrade to version 3.9.14
The JSST at the Joomla! Security Centre.
Missing access check in framework files could lead to a path disclosure.
Joomla! CMS versions 3.8.0 - 3.9.13
Upgrade to version 3.9.14
The JSST at the Joomla! Security Centre.
Missing access check in the phputf8 mapping files could lead to an path disclosure.
Joomla! CMS versions 3.6.0 - 3.9.12
Upgrade to version 3.9.13
The JSST at the Joomla! Security Centre.
A missing token check in com_template causes a CSRF vulnerability.
Joomla! CMS versions 3.2.0 - 3.9.12
Upgrade to version 3.9.13
The JSST at the Joomla! Security Centre.
Inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
Joomla! CMS versions 3.0.0 - 3.9.11
Upgrade to version 3.9.12
The JSST at the Joomla! Security Centre.
Inadequate checks in com_contact could allowed mail submission in disabled forms.
Joomla! CMS versions 1.6.2 - 3.9.10
Upgrade to version 3.9.11
The JSST at the Joomla! Security Centre.
Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
Joomla! CMS versions 3.9.7 - 3.9.8
Upgrade to version 3.9.9
The JSST at the Joomla! Security Centre.
The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
Joomla! CMS versions 3.8.13 through 3.9.6
Upgrade to version 3.9.7
The JSST at the Joomla! Security Centre.
The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors.
Joomla! CMS versions 3.6.0 through 3.9.6
Upgrade to version 3.9.7
The JSST at the Joomla! Security Centre.
The CSV export of com_actionslogs is vulnerable to CSV injection.
Joomla! CMS versions 3.9.0 through 3.9.6
Upgrade to version 3.9.7
The JSST at the Joomla! Security Centre.
In Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core. In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. The used implementation however is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Joomla! CMS versions 3.9.3 through 3.9.5
Upgrade to version 3.9.6
The JSST at the Joomla! Security Centre.