Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.
[20200604] - Core - XSS in jQuery.htmlPrefilter
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-April-10
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-11022 and CVE-2020-11023
Description
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others."
The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
[20200603] - Core - XSS in com_modules tag options
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-May-06
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13762
Description
Incorrect input validation of the module tag option in com_modules allow XSS attacks.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
[20200602] - Core - Inconsistent default textfilter settings
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0-3.9.18
- Exploit type: Insecure Permissions
- Reported Date: 2020-April-23
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13763
Description
The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
[20200601] - Core - XSS in modules heading tag option
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-May-06
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13761
Description
Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
[20200403] - Core - Incorrect access control in com_users access level deletion function
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0 - 3.9.16
- Exploit type: Incorrect Access Control
- Reported Date: 2020-March-13
- Fixed Date: 2020-April-21
- CVE Number: CVE-2020-11889
Description
Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.16
Solution
Upgrade to version 3.9.17
Contact
The JSST at the Joomla! Security Centre.
[20200402] - Core - Missing checks for the root usergroup in usergroup table
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0 - 3.9.16
- Exploit type: Incorrect Access Control
- Reported Date: 2020-February-27
- Fixed Date: 2020-April-21
- CVE Number: CVE-2020-11890
Description
Inproper input validations in the usergroup table class could lead to a broken ACL configuration.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.16
Solution
Upgrade to version 3.9.17
Contact
The JSST at the Joomla! Security Centre.
[20200401] - Core - Incorrect access control in com_users access level editing function
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.8.8 - 3.9.16
- Exploit type: Incorrect Access Control
- Reported Date: 2020-March-13
- Fixed Date: 2020-April-21
- CVE Number: CVE-2020-11891
Description
Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
Affected Installs
Joomla! CMS versions 3.8.8 - 3.9.16
Solution
Upgrade to version 3.9.17
Contact
The JSST at the Joomla! Security Centre.
[20200306] - Core - SQL injection in Featured Articles menu parameters
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 1.7.0-3.9.15
- Exploit type: SQL Injection
- Reported Date: 2020-March-9
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10243
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.
Affected Installs
Joomla! CMS versions 1.7.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.
[20200304] - Core - Identifier collisions in com_users
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.0.0-3.9.15
- Exploit type: Other
- Reported Date: 2020-February-07
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10240
Description
Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.
[20200305] - Core - Incorrect Access Control in com_fields SQL field
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.7.0-3.9.15
- Exploit type: Incorrect Access Control
- Reported Date: 2020-February-28
- Fixed Date: 2020-March-10
- CVE Number: CVE-2020-10239
Description
Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
Affected Installs
Joomla! CMS versions 3.7.0 - 3.9.15
Solution
Upgrade to version 3.9.16
Contact
The JSST at the Joomla! Security Centre.