• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • Documentation
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • Developer Network
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20201106] - Core - CSRF in com_privacy emailexport feature

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0-3.9.22
  • Exploit type: CSRF
  • Reported Date: 2020-10-08
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35615

Description

A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lee Thao from Viettel Cyber Security

[20201105] - Core - User Enumeration in backend login

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0-3.9.22
  • Exploit type: User Enumeration
  • Reported Date: 2020-08-15
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35614

Description

Improper handling of the username leads to a user enumeration attack vector in the backend login page.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20201104] - Core - SQL injection in com_users list view

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.22
  • Exploit type: SQL Injection
  • Reported Date: 2020-10-13
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35613

Description

Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ka1n4t

[20201103] - Core - Path traversal in mod_random_image

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0-3.9.22
  • Exploit type: Path traversal
  • Reported Date: 2020-10-06
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35612

Description

The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lee Thao from Viettel Cyber Security, Phil Taylor

[20201102] - Core - Disclosure of secrets in Global Configuration page

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0-3.9.22
  • Exploit type: Information Disclosure
  • Reported Date: 2020-09-23
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35611

Description

The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Corch

[20201101] - Core - com_finder ignores access levels on autosuggest

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0-3.9.22
  • Exploit type: Information Disclosure
  • Reported Date: 2020-06-21
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35610

Description

The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20200802] - Core - Open redirect in com_content vote feature

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0-3.9.20
  • Exploit type: Open Redirect
  • Reported Date: 2020-July-05
  • Fixed Date: 2020-August-25
  • CVE Number: CVE-2020-24598

Description

Lack of input validation in com_content leads to an open redirect.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.20

Solution

Upgrade to version 3.9.21

Contact

The JSST at the Joomla! Security Centre.

Reported By: Ahmad Kamaran Jamil

[20200803] - Core - Directory traversal in com_media

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0-3.9.20
  • Exploit type: Directory Traversal
  • Reported Date: 2020-February-02
  • Fixed Date: 2020-August-25
  • CVE Number: CVE-2020-24597

Description

Lack of input validation allows com_media root paths outside of the webroot.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.20

Solution

Upgrade to version 3.9.21

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200801] - Core - XSS in mod_latestactions

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.9.0-3.9.20
  • Exploit type: XSS
  • Reported Date: 2020-August-21
  • Fixed Date: 2020-August-25
  • CVE Number: CVE-2020-24599

Description

Lack of escaping in mod_latestactions allows XSS attacks.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.20

Solution

Upgrade to version 3.9.21

Contact

The JSST at the Joomla! Security Centre.

Reported By: Peter Martin

[20200706] - Core - System Information screen could expose redis or proxy credentials

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0-3.9.19
  • Exploit type: Information Disclosure
  • Reported Date: 2020-Jun-17
  • Fixed Date: 2020-July-14
  • CVE Number: CVE-2020-15698

Description

Inadequate filtering in the system information screen could expose redis or proxy credentials

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.19

Solution

Upgrade to version 3.9.20

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

Page 5 of 25

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 3 4.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 2.x
  • Development Status

Resources

  • Development Strategy
  • Security Announcements
  • Report Security Issues
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • en-GB User Interface Text Guidelines
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Twitter
  • Joomla! on Facebook
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Resources
  • Docs
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in

© 2005 - 2023 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.