• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20180801] - Core - Hardening the InputFilter for PHAR stubs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 1.5.0 through 3.8.11
  • Exploit type: Malicious file upload
  • Reported Date: 2018-August-23
  • Fixed Date: 2018-August-28
  • CVE Number: CVE-2018-15882

Description

Inadequate checks in the InputFilter class could allow specifically prepared PHAR files to pass the upload filter.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.11

Solution

Upgrade to version 3.8.12

Contact

The JSST at the Joomla! Security Centre.

Reported By: Davide Tampellini

[20180602] - Core - XSS vulnerability in language switcher module

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 1.6.0 through 3.8.8
  • Exploit type: XSS
  • Reported Date: 2018-May-07
  • Fixed Date: 2018-June-26
  • CVE Number: CVE-2018-12711

Description

In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.8.8

Solution

Upgrade to version 3.8.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Borja Lorenzo, Innotecsystem

[20180601] - Core - Local File Inclusion with PHP 5.3

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.8.8
  • Exploit type: LFI
  • Reported Date: 2018-April-23
  • Fixed Date: 2018-June-26
  • CVE Number: CVE-2018-12712

Description

Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.8.8

Solution

Upgrade to version 3.8.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Davide Tampellini

[20180509] - Core - XSS vulnerability in the media manager

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 1.5.0 through 3.8.7
  • Exploit type: XSS
  • Reported Date: 2017-October-28
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-6378

Description

Inadequate filtering of file and folder names lead to various XSS attack vectors in the media manager.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

[20180508] - Core - Possible XSS attack in the redirect method

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.1.2 through 3.8.7
  • Exploit type: XSS
  • Reported Date: 2018-March-30
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11328

Description

Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in a XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.1.2 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

[20180507] - Core - Session deletion race condition

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Medium
  • Severity: Low
  • Versions: 3.0.0 through 3.8.7
  • Exploit type: Session race condition
  • Reported Date: 2017-July-08
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11324

Description

A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Additional Resources

  • More details about the Session deletion race condition

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

[20180506] - Core - Filter field in com_fields allows remote code execution

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.7.0 through 3.8.7
  • Exploit type: Remote Code Execution
  • Reported Date: 2018-May-14
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11321

Description

Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST

[20180505] - Core - XSS Vulnerabilities & additional hardening

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Versions: 3.0.0 through 3.8.7
  • Exploit type:XSS
  • Reported Date:2018-February-02 & 2018-March-27
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11326

Description

Inadequate input filtering leads to multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Additional Resources

  • You can find more details and other default changes in 3.8.8 at the Documentation.

Contact

The JSST at the Joomla! Security Centre.

Reported By: Kai Zhao of 3H Security Team & Zhouyuan Yang (FortiGuard Labs)

[20180504] - Core - Installer leaks plain text password to local user

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 through 3.8.7
  • Exploit type: Information Disclosure
  • Reported Date: 2018-February-09
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11325

Description

The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sascha Egerer

[20180503] - Core - Information Disclosure about unpublished tags

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Versions: 3.1.0 through 3.8.7
  • Exploit type: Information Disclosure
  • Reported Date: 2018-April-27
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11327

Description

Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission .

Affected Installs

Joomla! CMS versions 3.1.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor, JSST

[20180502] - Core - Add PHAR files to the upload blacklist

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0 through 3.8.7
  • Exploit type: Malicious file upload
  • Reported Date: 2018-March-14
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11322

Description

Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Demis Palma, JSST

[20180501] - Core - ACL violation in access levels

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0 through 3.8.7
  • Exploit type: ACL violation
  • Reported Date: 2018-March-08
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11323

Description

Inadequate checks allowed users to modify the access levels of user groups with higher permissions.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: Matias Aguirre, JSST

[20180301] - Core - SQLi vulnerability User Notes

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.5.0 through 3.8.5
  • Exploit type: SQLi
  • Reported Date: 2018-March-08
  • Fixed Date: 2018-March-12
  • CVE Number: CVE-2018-8045

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view

Affected Installs

Joomla! CMS versions 3.5.0 through 3.8.5

Solution

Upgrade to version 3.8.6

Contact

The JSST at the Joomla! Security Centre.

Reported By: Entropy Moe

[20180104] - Core - SQLi vulnerability in Hathor postinstall message

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: SQLi
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6376

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Karim Ouerghemmi, ripstech.com

[20180103] - Core - XSS vulnerability in Uri class

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 1.5.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6379

Description

Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Octavian Cinciu

[20180102] - Core - XSS vulnerability in com_fields

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-20
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6377

Description

Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST

[20180101] - Core - XSS vulnerability in module chromes

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-21
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6380

Description

Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

[20171103] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.7.0 through 3.8.1
  • Exploit type: Information Disclosure
  • Reported Date: 2017-May-17
  • Fixed Date: 2017-November-07
  • CVE Number: CVE-2017-16633

Description

A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.1

Solution

Upgrade to version 3.8.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Internal JSST audit

[20171102] - Core - 2-factor-authentication bypass

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Medium
  • Versions: 3.2.0 through 3.8.1
  • Exploit type: 
  • Reported Date: 2017-October-31
  • Fixed Date: 2017-November-07
  • CVE Number: CVE-2017-16634

Description

A bug allowed third parties to bypass a user's 2-factor-authentication method.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.8.1

Solution

Upgrade to version 3.8.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Yarince

[20171101] - Core - LDAP Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Medium
  • Versions: 1.5.0 through 3.8.1
  • Exploit type: Information Disclosure
  • Reported Date: 2017-October-06
  • Fixed Date: 2017-November-07
  • CVE Number: CVE-2017-14596

Description

Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.1

Solution

Upgrade to version 3.8.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH

[20170901] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.7.0 through 3.7.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-August-4
  • Fixed Date: 2017-September-19
  • CVE Number: CVE-2017-14595

Description

A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.7.5

Solution

Upgrade to version 3.8.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Michal Prochaczek

[20170902] - Core - LDAP Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Medium
  • Versions: 1.5.0 through 3.7.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-July-27
  • Fixed Date: 2017-September-19
  • CVE Number: CVE-2017-14596

Description

Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.7.5

Solution

Upgrade to version 3.8.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH

[20170704] - Core - Installer: Lack of Ownership Verification

  • Project: Joomla!
  • SubProject: CMS Installer
  • Severity: High
  • Versions: 1.0.0 through 3.7.3
  • Exploit type: Lack of Ownership Verification
  • Reported Date: 2017-Apr-06
  • Fixed Date: 2017-July-25
  • CVE Number: CVE-2017-11364

Description

The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.

Please note: Already installed sites are not affected, as this issue is limited to the installer application!

Affected Installs

Joomla! CMS versions 1.0.0 through 3.7.3

Solution

Upgrade to version 3.7.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hanno Böck

[20170705] - Core - XSS Vulnerability

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.5.0 through 3.7.3
  • Exploit type: XSS
  • Reported Date: 2017-April-26
  • Fixed Date: 2017-July-25
  • CVE Number: CVE-2017-11612

Description

Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.7.3

Solution

Upgrade to version 3.7.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Beat B, JSST

[20170701] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 1.7.3 - 3.7.2
  • Exploit type: Information Disclosure
  • Reported Date: 2016-Feb-05
  • Fixed Date: 2017-July-04
  • CVE Number: CVE-2017-9933

Description

Improper cache invalidation leads to disclosure of form contents.

Affected Installs

Joomla! CMS versions 1.7.3-3.7.2

Solution

Upgrade to version 3.7.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jeff Channell

Page 8 of 13

  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.