Developer Network™

Download
Launch

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: Open Redirect
  • Reported Date: 2023-11-08
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21723

Description

Inadequate parsing of URLs could result into an open redirect.

Affected Installs

Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: Insufficient Session Expiration
  • Reported Date: 2023-11-29
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21722

Description

The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

Affected Installs

Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 1.6.0-4.4.0, 5.0.0
  • Exploit type: Information Disclosure
  • Reported Date: 2023-07-14
  • Fixed Date: 2023-11-21
  • CVE Number: CVE-2023-40626

Description

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Contact

The JSST at the Joomla! Security Centre.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Lack of rate limiting
  • Reported Date: 2023-04-29
  • Fixed Date: 2023-05-30
  • CVE Number: CVE-2023-23755

Description

The lack of rate limiting allows brute force attacks against MFA methods.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Open Redirect / XSS
  • Reported Date: 2023-02-28
  • Fixed Date: 2023-05-28
  • CVE Number: CVE-2023-23754

Description

Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Srpopty from huntr.dev

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: High
  • Probability: High
  • Versions: 4.0.0-4.2.7
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-02-13
  • Fixed Date: 2023-02-16
  • CVE Number: CVE-2023-23752

Description

An improper access check allows unauthorized access to webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.7

Solution

Upgrade to version 4.2.8

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Zewei Zhang from NSFOCUS TIANJI Lab

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.4
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-28
  • Fixed Date: 2022-11-08
  • CVE Number: CVE-2022-27914

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media..

Affected Installs

Joomla! CMS versions 4.0.0-4.2.4

Solution

Upgrade to version 4.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By: https://github.com/Denitz

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.6
  • Exploit type: CSRF
  • Reported Date: 2022-12-24
  • Fixed Date: 2023-01-31
  • CVE Number: CVE-2023-23750

Description

A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.6

Solution

Upgrade to version 4.2.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Faizan Wani

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.6
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-01-01
  • Fixed Date: 2023-01-31
  • CVE Number: CVE-2023-23751

Description

A missing ACL check allows non super-admin users to access com_actionlogs.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.6

Solution

Upgrade to version 4.2.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Faizan Wani

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.3
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-07
  • Fixed Date: 2022-10-25
  • CVE Number: CVE-2022-27913

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.3

Solution

Upgrade to version 4.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Ajith Menon

Page 3 of 28