• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20120102] - Core - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Moderate
  • Versions: 1.7.3 and all earlier 1.7 and 1.6 versions
  • Exploit type: XSS Vulnerability
  • Reported Date: 2011-November-16
  • Fixed Date: 2012-January-24

Description

Inadequate filtering leads to XSS vulnerability.

Affected Installs

Joomla! version 1.7.3 and all earlier versions

Solution

Upgrade to version 1.7.4 or 2.5.0 or higher

Contact

The JSST at the Joomla! Security Centre.

Reported By: Ankita Kapadia

[20120103] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.7.3 and all earlier 1.7 and 1.6 versions
  • Exploit type: Information Disclosure
  • Reported Date: 2011-December-19
  • Fixed Date: 2012-January-24

Description

Inadequate filtering leads to information disclosure.

Affected Installs

Joomla! version 1.7.3 and all earlier versions

Solution

Upgrade to version 1.7.4 or 2.5.0 or higher

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jean-Marie Simonet

[20120104] - Core - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Moderate
  • Versions: 1.7.3 and all earlier versions
  • Exploit type: XSS Vulnerability
  • Reported Date: 2012-January-22
  • Fixed Date: 2012-January-24

Description

Inadequate filtering leads to XSS vulnerability.

Affected Installs

Joomla! version 1.7.3 and all earlier 1.7 and 1.6 versions

Solution

Upgrade to version 1.7.4 or 2.5.0 or higher

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin

[20111101] - Core - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Medium
  • Versions: 1.7.2 and all 1.6.x versions
  • Exploit type: XSS
  • Reported Date: 2011-October-21
  • Fixed Date: 2011-November-14

Description

Inadequate filtering leads to XSS vulnerability in back end.

Affected Installs

Joomla! version 1.7.2 and all earlier 1.7.x and 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.7.3 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Corné Hannema

[20111102] - Core - Password Change

  • Project: Joomla!
  • SubProject: All
  • Severity: High
  • Versions: 1.7.2 and all 1.6.x versions
  • Exploit type: Password Change
  • Reported Date: 2011-October-28
  • Fixed Date: 2011-November-14

Description

Weak random number generation during password reset leads to possibility of changing a user's password.

Affected Installs

Joomla! version 1.7.2 and all earlier 1.7.x and 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.7.3 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Gregor Kopf and David Jardin

[20111103] - Core - Password Change

  • Project: Joomla!
  • SubProject: All
  • Severity: High
  • Versions: 1.5.24 and all earlier 1.5 versions
  • Exploit type: Password Change
  • Reported Date: 2011-October-28
  • Fixed Date: 2011-November-14

Description

Weak random number generation during password reset leads to possibility of changing a user's password.

Affected Installs

Joomla! version 1.5.24 and all earlier 1.5 versions

Solution

Upgrade to the latest Joomla! 1.5 version (1.5.25 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Gregor Kopf and David Jardin

[20111001] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: All
  • Severity: Moderate
  • Versions: 1.7.1
  • Exploit type: Information Disclosure
  • Reported Date: 2011-September-09
  • Fixed Date: 2011-October-17

Description

Weak encryption causes potential information disclosure.

Affected Installs

Joomla! version 1.7.1 and earlier

Solution

Upgrade to the latest Joomla! version (1.7.2 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jeff Channell

[20111002] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.7.1
  • Exploit type: Information Disclosure
  • Reported Date: 2011-August-02
  • Fixed Date: 2011-October-17

Description

Inadequate error checking causes potential information disclosure.

Affected Installs

Joomla! version 1.7.1 and earlier

Solution

Upgrade to the latest Joomla! version (1.7.2 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aung Khant, YGN Ethical Hacker Group

[20111003] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: All
  • Severity: Moderate
  • Versions: 1.5.23 and earlier
  • Exploit type: Information Disclosure
  • Reported Date: 2011-September-09
  • Fixed Date: 2011-October-17

Description

Weak encryption causes potential information disclosure.

Affected Installs

Joomla! version 1.5.23 and earlier

Solution

Upgrade to the latest Joomla! version (1.5.24 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jeff Channell

[20110903] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.7.0
  • Exploit type: Information Disclosure
  • Reported Date: 2011-September-23
  • Fixed Date: 2011-September-26

Description

Inadequate error checking causes information disclosure.

Affected Installs

Joomla! version 1.7.0

Solution

Upgrade to the latest Joomla! version (1.7.1 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: National Vulnerability Database

[20110901] - Core - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Medium
  • Versions: 1.7.0 and all 1.6.x versions
  • Exploit type: XSS
  • Reported Date: 2011-August-02
  • Fixed Date: 2011-September-22

Description

Inadequate escaping leads to XSS vulnerability in com_search.

Affected Installs

Joomla! version 1.7.0 and all 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.7.1 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aung Khant

[20110902] - Core - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Medium
  • Versions: 1.7.0 and all 1.6.x versions
  • Exploit type: XSS
  • Reported Date: 2011-August-02
  • Fixed Date: 2011-September-22

Description

Inadequate escaping leads to XSS vulnerability in back end.

Affected Installs

Joomla! version 1.7.0 and all 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.7.1 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aung Khant

[20110701] - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Medium
  • Versions: 1.6.5 and all earlier 1.6.x versions
  • Exploit type: XSS
  • Reported Date: 2011-July-11
  • Fixed Date: 2011-July-19

Description

Inadequate escaping leads to XSS vulnerability.

Affected Installs

Joomla! version 1.6.5 and all earlier 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.6.6 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aung Khant

[20110602] - Information Disclosure

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.6.3 and all earlier 1.6.x versions
  • Exploit type: Information Disclosure
  • Reported Date: 2011-May-25
  • Fixed Date: 2011-June-23

Description

Inadequate filtering causes possible information disclosure.

Affected Installs

Joomla! version 1.6.3 and all earlier 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.6.4 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aung Khant

[20110604] - XSS Vulnerability

  • Project: Joomla!
  • SubProject: All
  • Severity: Medium
  • Versions: 1.6.3 and all earlier 1.6.x versions
  • Exploit type: XSS
  • Reported Date: 2011-May-25
  • Fixed Date: 2011-June-27

Description

Inadequate filtering leads to XSS vulnerability.

Affected Installs

Joomla! version 1.6.3 and all earlier 1.6.x versions

Solution

Upgrade to the latest Joomla! version (1.6.4 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Aung Khant

[20100423] - Core - Password Reset Tokens

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.5.15 and all previous 1.5 releases
  • Exploit type: Unauthorised Access
  • Reported Date: 2010-Jan-07
  • Fixed Date: 2010-Apr-23

Description

When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.

Affected Installs

All 1.5.x installs prior to and including 1.5.15 are affected.

Solution

Upgrade to the latest Joomla! version (1.5.16 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Madis Abel

[20100423] - Core - Sessation Fixation

  • Project: Joomla!
  • SubProject: All
  • Severity: Moderate
  • Versions: 1.5.15 and all previous 1.5 releases
  • Exploit type: Session fixation
  • Reported Date: 2010-Mar-25
  • Fixed Date: 2010-Apr-23

Description

Session id doesn't get modified when user logs in.  A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie.  If the user then logs in, the remote site can use that cookie to authenticate as that user.

Affected Installs

All 1.5.x installs prior to and including 1.5.15 are affected.

Solution

Upgrade to the latest Joomla! version (1.5.16 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Raúl Siles and Steven Pignataro

[20100423] - Core - Installer Migration Script

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.5.15 and all previous 1.5 releases
  • Exploit type: Code upload
  • Reported Date: 2009-Dec-30
  • Fixed Date: 2010-Apr-23

Description

The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server.

Affected Installs

All 1.5.x installs prior to and including 1.5.15 are affected.

Solution

Upgrade to the latest Joomla! version (1.5.16 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Nicola Bettini

[20100423] - Core - Negative Values for Limit and Offset

  • Project: Joomla!
  • SubProject: All
  • Severity: Moderate
  • Versions: 1.5.15 and all previous 1.5 releases
  • Exploit type: information Disclosure
  • Reported Date: 2010-Feb-21
  • Fixed Date: 2010-Apr-23

Description

If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system.

Affected Installs

All 1.5.x installs prior to and including 1.5.15 are affected.

Solution

Upgrade to the latest Joomla! version (1.5.16 or later)

Contact

The JSST at the Joomla! Security Centre.

Reported By: Security List

[20091103] - Core - XML File Read Issue

  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 1.5.14 and all previous 1.5 releases
  • Exploit type: Extension Version Disclosure
  • Reported Date: 2009-October-13
  • Fixed Date: 2009-Nov-03

Description

It is possible to read the contents of an extension's XML file and find the version number of the installed extension. This could allow people to exploit a known security flaws for a specific version of an extension.

Affected Installs

All 1.5.x installs prior to and including 1.5.14 are affected.

Solution

Turn on Apache mod_rewrite and configure your .htaccess file to filter out XML files. In the htaccess.txt file shipped with version 1.5.15, lines 35-39 contain example code that will deny access to XML files. You can incorporate this code (or similar code) into your .htaccess file. Be sure to test that it does not cause problems on your site.

Contact

The JSST at the Joomla! Security Centre.

Reported By: WHK and Gergő Erdősi

[20091103] - Core - Front-End Editor Issue

  • Project: Joomla!
  • SubProject: com_content
  • Severity: Moderate
  • Versions: 1.5.14 and all previous 1.5 releases
  • Exploit type: Front-End Editing
  • Reported Date: 2009-September-05
  • Fixed Date: 2009-November-03

Description

When logged into the front end with Author access, it was possible to replace an article written by another user.

Affected Installs

All 1.5.x installs prior to and including 1.5.14 are affected.

Solution

Upgrade to latest Joomla! version (1.5.15 or newer).

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hannes Papenberg

[20090722] - Core - Missing JEXEC Check

  • Project: Joomla!
  • SubProject: Framework
  • Severity: Moderate
  • Versions: 1.5.12 and all previous 1.5 releases
  • Exploit type: Path Disclosure
  • Reported Date: 2009-July-21
  • Fixed Date: 2009-July-22

Description

Some files were missing the check for JEXEC. These scripts will then expose internal path information of the host.

Affected Installs

All 1.5.x installs prior to and including 1.5.12 are affected.

Solution

Upgrade to latest Joomla! version (1.5.13 or newer).

Contact

The JSST at the Joomla! Security Centre.

Reported By: Juan Galiana Lara (Internet Security Auditors)

[20090723] - Core - com_mailto Timeout Issue

  • Project: Joomla!
  • SubProject: com_mailto
  • Severity: Low
  • Versions: 1.5.13 and all previous 1.5 releases
  • Exploit type: Email
  • Reported Date: 2009-July-28
  • Fixed Date: 2009-July-30

Description

In com_mailto, it was possible to bypass timeout protection against sending automated emails.

Affected Installs

All 1.5.x installs prior to and including 1.5.13 are affected.

Solution

Upgrade to latest Joomla! version (1.5.14 or newer).

Contact

The JSST at the Joomla! Security Centre.

Reported By: WHK and Gergő Erdősi

[20090722] - Core - File Upload

  • Project: Joomla!
  • SubProject: TinyMCE editor
  • Severity: Critical
  • Versions: 1.5.12
  • Exploit type: Image File upload
  • Reported Date: 2009-July-22
  • Fixed Date: 2009-July-22

Description

Tiny browser included with TinyMCE 3.0 editor allowed files to be uploaded and removed without logging in.

Affected Installs

Version 1.5.12 only

Solution

Upgrade to latest Joomla! version (1.5.13 or newer).

Contact

The JSST at the Joomla! Security Centre.

Reported By: Patrice Lazareff

[20090604] - Core - Frontend XSS - HTTP_REFERER not properly filtered

  • Project: Joomla!
  • SubProject: Site client
  • Severity: Moderate
  • Versions: 1.5.11 and all previous 1.5 releases
  • Exploit type: XSS
  • Reported Date: 2009-June-30
  • Fixed Date: 2009-June-30

Description

An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.

Affected Installs

All 1.5.x installs prior to and including 1.5.11 are affected.

Solution

Upgrade to latest Joomla! version (1.5.12 or newer).

Contact

The JSST at the Joomla! Security Centre.

Reported By: Juan Galiana Lara (Internet Security Auditors)

Page 12 of 13

  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.