Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0 - 3.9.27
- Exploit type: XSS
- Reported Date: 2021-06-22
- Fixed Date: 2021-07-06
- CVE Number: CVE-2021-26039
Description
Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.27
Solution
Upgrade to version 3.9.28
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0 - 3.9.27
- Exploit type: Incorrect Access Control
- Reported Date: 2021-06-06
- Fixed Date: 2021-07-06
- CVE Number: CVE-2021-26038
Description
Install action in com_installer lack the required hardcoded ACL checks for superusers, leading to various potential attack vectors. A default system is not affected cause by default com_installer is limited to super users already.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.27
Solution
Upgrade to version 3.9.28
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0 - 3.9.27
- Exploit type: Incorrect Session Handling
- Reported Date: 2019-02-08
- Fixed Date: 2021-07-06
- CVE Number: CVE-2021-26037
Description
Various CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.27
Solution
Upgrade to version 3.9.28
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 - 3.9.27
- Exploit type: DoS
- Reported Date: 2021-06-08
- Fixed Date: 2021-07-06
- CVE Number: CVE-2021-26036
Description
Missing validation of input could lead to a broken usergroups table.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.27
Solution
Upgrade to version 3.9.28
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.27
- Exploit type: XSS
- Reported Date: 2021-05-29
- Fixed Date: 2021-07-06
- CVE Number: CVE-2021-26035
Description
Inadequate escaping in the Rules field of the JForm API leads to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.27
Solution
Upgrade to version 3.9.28
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.26
- Exploit type: CSRF
- Reported Date: 2021-05-07
- Fixed Date: 2021-05-25
- CVE Number: CVE-2021-26034
Description
A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.26
Solution
Upgrade to version 3.9.27
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.26
- Exploit type: CSRF
- Reported Date: 2021-05-07
- Fixed Date: 2021-05-25
- CVE Number: CVE-2021-26033
Description
A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.26
Solution
Upgrade to version 3.9.27
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.26
- Exploit type: XSS
- Reported Date: 2021-03-05
- Fixed Date: 2021-05-25
- CVE Number: CVE-2021-26032
Description
HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.26
Solution
Upgrade to version 3.9.27
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.25
- Exploit type: LFI
- Reported Date: 2021-01-03
- Fixed Date: 2021-04-13
- CVE Number: CVE-2021-26031
Description
Inadequate filters on module layout settings could lead to an LFI.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.25
Solution
Upgrade to version 3.9.26
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 - 3.9.25
- Exploit type: XSS
- Reported Date: 2021-03-09
- Fixed Date: 2021-04-13
- CVE Number: CVE-2021-26030
Description
Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.25
Solution
Upgrade to version 3.9.26
Contact
The JSST at the Joomla! Security Centre.