Developer Network™ Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Versions: 3.0.0 through 3.8.7
- Exploit type:XSS
- Reported Date:2018-February-02 & 2018-March-27
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11326
Description
Inadequate input filtering leads to multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Additional Resources
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 through 3.8.7
- Exploit type: Information Disclosure
- Reported Date: 2018-February-09
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11325
Description
The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Versions: 3.1.0 through 3.8.7
- Exploit type: Information Disclosure
- Reported Date: 2018-April-27
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11327
Description
Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission .
Affected Installs
Joomla! CMS versions 3.1.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0 through 3.8.7
- Exploit type: Malicious file upload
- Reported Date: 2018-March-14
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11322
Description
Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0 through 3.8.7
- Exploit type: ACL violation
- Reported Date: 2018-March-08
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11323
Description
Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.5.0 through 3.8.5
- Exploit type: SQLi
- Reported Date: 2018-March-08
- Fixed Date: 2018-March-12
- CVE Number: CVE-2018-8045
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view
Affected Installs
Joomla! CMS versions 3.5.0 through 3.8.5
Solution
Upgrade to version 3.8.6
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.7.0 through 3.8.3
- Exploit type: SQLi
- Reported Date: 2017-November-17
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6376
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 1.5.0 through 3.8.3
- Exploit type: XSS
- Reported Date: 2017-November-17
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6379
Description
Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.7.0 through 3.8.3
- Exploit type: XSS
- Reported Date: 2018-January-20
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6377
Description
Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0 through 3.8.3
- Exploit type: XSS
- Reported Date: 2018-January-21
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6380
Description
Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.