This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
Missing CSRF token checks and improper input validation lead to an XSS vulnerability.
Joomla! CMS versions 1.7.3-3.7.2
Upgrade to version 3.7.3
The JSST at the Joomla! Security Centre.
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.
Joomla! CMS versions 1.5.0 through 3.6.5
Upgrade to version 3.7.3
The JSST at the Joomla! Security Centre.
Inadequate filtering of request data leads to a SQL Injection vulnerability.
Joomla! CMS versions 3.7.0
Upgrade to version 3.7.1
The JSST at the Joomla! Security Centre.
Multiple files caused full path disclosures on systems with enabled error reporting.
Joomla! CMS versions 3.4.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Inadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
Joomla! CMS versions 3.2.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Inadequate filtering of form contents lead allow to overwrite the author of an article.
Joomla! CMS versions 1.6.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.
Joomla! CMS versions 3.2.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components.
Joomla! CMS versions 1.5.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.
Joomla! CMS versions 1.5.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Inadequate filtering leads to XSS in the template manager component.
Joomla! CMS versions 3.2.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
Mail sent using the JMail API leaked the used PHPMailer version in the mail headers.
Joomla! CMS versions 1.5.0 through 3.6.5
Upgrade to version 3.7.0
The JSST at the Joomla! Security Centre.
All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.20 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment. As well, the vulnerability requires being able to pass user input to a message's "from" address; all places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.
Generally, the Joomla project does not issue advisories regarding third party libraries, however given the severity of this issue we felt it important to advise our users that we are aware of this issue and we have determined that the additional validations in our API prevent triggering this vulnerability.
Joomla! CMS versions 1.5.0 through 3.6.5
No action required for Joomla users, the updated library will be included in the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability. Users of the PHPMailer library separate from Joomla are advised to upgrade to 5.2.20 or newer ASAP.
The JSST at the Joomla! Security Centre.
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user's ability to make potentially damaging configuration changes. This includes restricting the ability to set the "New User Registration Group" and "Guest User Group" to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.
Additionally, we have modified the behavior of JUser::authorise() to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to JAccess::check() can also return a null value; neither JUser::authorise() or JAccess::check() documented this though. We have determined that based on how the API is used that JUser::authorise() should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an "implicit" denied state versus "explicit" signified by boolean false), they should use JAccess::check() instead. The documentation for JAccess::check() has been updated to indicate the null return value as well.
The JSST at the Joomla! Security Centre.
Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.
Joomla! CMS versions 3.0.0 through 3.6.4
Upgrade to version 3.6.5
The JSST at the Joomla! Security Centre.
Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.
Joomla! CMS versions 3.0.0 through 3.6.4
Upgrade to version 3.6.5
The JSST at the Joomla! Security Centre.
Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
Joomla! CMS versions 1.6.0 through 3.6.4
Upgrade to version 3.6.5
The JSST at the Joomla! Security Centre.
Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
Joomla! CMS versions 3.4.4 through 3.6.3
Upgrade to version 3.6.4
The JSST at the Joomla! Security Centre.
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.
Joomla! CMS versions 3.4.4 through 3.6.3
Upgrade to version 3.6.4
The JSST at the Joomla! Security Centre.
Inadequate checks allows for users to register on a site when registration has been disabled.
Joomla! CMS versions 3.4.4 through 3.6.3
Upgrade to version 3.6.4
The JSST at the Joomla! Security Centre.
Inadequate escaping leads to XSS vulnerability in mail component.
Joomla! CMS versions 1.6.0 through 3.6.0
Upgrade to version 3.6.1
The JSST at the Joomla! Security Centre.
Inadequate ACL checks in com_content provide potential read access to data which should be access restricted to users with edit_own level.
Joomla! CMS versions 1.6.0 through 3.6.0
Upgrade to version 3.6.1
The JSST at the Joomla! Security Centre.
Add additional CSRF hardening in com_joomlaupdate.
Joomla! CMS version 3.6.0
Upgrade to version 3.6.1
The JSST at the Joomla! Security Centre.
Inadequate filtering of request data leads to a SQL Injection vulnerability.
Joomla! CMS versions 3.0.0 through 3.4.6
Upgrade to version 3.4.7
The JSST at the Joomla! Security Centre.
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions.
Joomla! CMS versions 1.5.0 through 3.4.6
Upgrade to version 3.4.7
The JSST at the Joomla! Security Centre.
Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability.
Joomla! CMS versions 1.5.0 through 3.4.5
Upgrade to version 3.4.6
The JSST at the Joomla! Security Centre.