Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 4.0.0-4.4.5, 5.0.0-5.1.1
Exploit type: XSS
Reported Date: 2024-06-03
Fixed Date: 2024-07-09
CVE Number: CVE-2024-21730

Description

The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jesper den Boer

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 4.0.0-4.4.5, 5.0.0-5.1.1
Exploit type: XSS
Reported Date: 2024-02-20
Fixed Date: 2024-07-09
CVE Number: CVE-2024-21729

Description

Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Marco Kadlubski

Project: Joomla! / Joomla! Framework
SubProject: CMS / filter
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
Exploit type: XSS
Reported Date: 2023-11-22
Fixed Date: 2024-02-20
CVE Number: CVE-2024-21726

Description

Inadequate content filtering leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: High
Probability: High
Versions: 4.0.0-4.4.2, 5.0.0-5.0.2
Exploit type: XSS
Reported Date: 2024-01-30
Fixed Date: 2024-02-20
CVE Number: CVE-2024-21725

Description

Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 1.6.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
Exploit type: XSS
Reported Date: 2024-01-09
Fixed Date: 2024-02-20
CVE Number: CVE-2024-21724

Description

Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

Affected Installs

Joomla! CMS versions 1.6.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
Exploit type: Open Redirect
Reported Date: 2023-11-08
Fixed Date: 2024-02-20
CVE Number: CVE-2024-21723

Description

Inadequate parsing of URLs could result into an open redirect.

Affected Installs

Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
Exploit type: Insufficient Session Expiration
Reported Date: 2023-11-29
Fixed Date: 2024-02-20
CVE Number: CVE-2024-21722

Description

The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

Affected Installs

Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 1.6.0-4.4.0, 5.0.0
Exploit type: Information Disclosure
Reported Date: 2023-07-14
Fixed Date: 2023-11-21
CVE Number: CVE-2023-40626

Description

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Impact: Critical
Severity: Moderate
Probability: Low
Versions: 4.2.0-4.3.1
Exploit type: Lack of rate limiting
Reported Date: 2023-04-29
Fixed Date: 2023-05-30
CVE Number: CVE-2023-23755

Description

The lack of rate limiting allows brute force attacks against MFA methods.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 4.2.0-4.3.1
Exploit type: Open Redirect / XSS
Reported Date: 2023-02-28
Fixed Date: 2023-05-28
CVE Number: CVE-2023-23754

Description

Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Srpopty from huntr.dev

Page 2 of 28