• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20240804] - Core - Improper ACL for backend profile view

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27187

Description

Improper Access Controls allows backend users to overwrite their username when disallowed.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elysee Franchuk

[20240803] - Core - XSS in HTML Mail Templates

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27186

Description

The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elysee Franchuk

[20240802] - Core - Cache Poisoning in Pagination

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: Cache Poisoning
  • Reported Date: 2024-05-23
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27185

Description

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Shane Edwards

[20240801] - Core - Inadequate validation of internal URLs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.4.6-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: Open redirect
  • Reported Date: 2024-03-20
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27184

Description

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

Affected Installs

Joomla! CMS versions 3.4.6-3.10.16-elts,4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Gareth Heyes (PortSwigger Research) & Teodor Ivanov

[20240705] - Core - XSS in com_fields default field value

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
  • Exploit type: XSS
  • Reported Date: 2024-06-09
  • Fixed Date: 2024-07-09
  • CVE Number: CVE-2024-26278

Description

The Custom Fields component not correctly filter inputs, leading to a XSS vector.

Affected Installs

Joomla! CMS versions 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

[20240704] - Core - XSS in Wrapper extensions

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
  • Exploit type: XSS
  • Reported Date: 2024-06-08
  • Fixed Date: 2024-07-09
  • CVE Number: CVE-2024-26279

Description

The wrapper extensions do not correctly validate inputs, leading to XSS vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

[20240703] - Core - XSS in StringHelper::truncate method

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
  • Exploit type: XSS
  • Reported Date: 2024-06-08
  • Fixed Date: 2024-07-09
  • CVE Number: CVE-2024-21731

Description

Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

[20240702] - Core - Self-XSS in fancyselect list field layout

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.4.5, 5.0.0-5.1.1
  • Exploit type: XSS
  • Reported Date: 2024-06-03
  • Fixed Date: 2024-07-09
  • CVE Number: CVE-2024-21730

Description

The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

[20240701] - Core - XSS in accessible media selection field

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-4.4.5, 5.0.0-5.1.1
  • Exploit type: XSS
  • Reported Date: 2024-02-20
  • Fixed Date: 2024-07-09
  • CVE Number: CVE-2024-21729

Description

Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Marco Kadlubski

[20240205] - Core - Inadequate content filtering within the filter code

  • Project: Joomla! / Joomla! Framework
  • SubProject: CMS / filter
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: XSS
  • Reported Date: 2023-11-22
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21726

Description

Inadequate content filtering leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

[20240204] - Core - XSS in mail address outputs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: High
  • Probability: High
  • Versions: 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: XSS
  • Reported Date: 2024-01-30
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21725

Description

Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

[20240203] - Core - XSS in media selection fields

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 1.6.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: XSS
  • Reported Date: 2024-01-09
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21724

Description

Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

Affected Installs

Joomla! CMS versions 1.6.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

[20240202] - Core - Open redirect in installation application

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: Open Redirect
  • Reported Date: 2023-11-08
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21723

Description

Inadequate parsing of URLs could result into an open redirect.

Affected Installs

Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

[20240201] - Core - Insufficient session expiration in MFA management views

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
  • Exploit type: Insufficient Session Expiration
  • Reported Date: 2023-11-29
  • Fixed Date: 2024-02-20
  • CVE Number: CVE-2024-21722

Description

The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

Affected Installs

Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

Solution

Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

Contact

The JSST at the Joomla! Security Centre.

[20231101] - Core - Exposure of environment variables

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 1.6.0-4.4.0, 5.0.0
  • Exploit type: Information Disclosure
  • Reported Date: 2023-07-14
  • Fixed Date: 2023-11-21
  • CVE Number: CVE-2023-40626

Description

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Contact

The JSST at the Joomla! Security Centre.

[20230502] - Core - Bruteforce prevention within the mfa screen

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Lack of rate limiting
  • Reported Date: 2023-04-29
  • Fixed Date: 2023-05-30
  • CVE Number: CVE-2023-23755

Description

The lack of rate limiting allows brute force attacks against MFA methods.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20230501] - Core - Open Redirects and XSS within the mfa selection

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Open Redirect / XSS
  • Reported Date: 2023-02-28
  • Fixed Date: 2023-05-28
  • CVE Number: CVE-2023-23754

Description

Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Srpopty from huntr.dev

[20230201] - Core - Improper access check in webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: High
  • Probability: High
  • Versions: 4.0.0-4.2.7
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-02-13
  • Fixed Date: 2023-02-16
  • CVE Number: CVE-2023-23752

Description

An improper access check allows unauthorized access to webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.7

Solution

Upgrade to version 4.2.8

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Zewei Zhang from NSFOCUS TIANJI Lab

[20221101] - Core - RXSS through reflection of user input in com_media

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.4
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-28
  • Fixed Date: 2022-11-08
  • CVE Number: CVE-2022-27914

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media..

Affected Installs

Joomla! CMS versions 4.0.0-4.2.4

Solution

Upgrade to version 4.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By: https://github.com/Denitz

[20230101] - Core - CSRF within post-installation messages

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.6
  • Exploit type: CSRF
  • Reported Date: 2022-12-24
  • Fixed Date: 2023-01-31
  • CVE Number: CVE-2023-23750

Description

A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.6

Solution

Upgrade to version 4.2.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Faizan Wani

[20230102] - Core - Missing ACL checks for com_actionlogs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.6
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-01-01
  • Fixed Date: 2023-01-31
  • CVE Number: CVE-2023-23751

Description

A missing ACL check allows non super-admin users to access com_actionlogs.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.6

Solution

Upgrade to version 4.2.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Faizan Wani

[20221002] - Core - RXSS through reflection of user input in headings

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.3
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-07
  • Fixed Date: 2022-10-25
  • CVE Number: CVE-2022-27913

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.3

Solution

Upgrade to version 4.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Ajith Menon

[20221001] - Core - Disclosure of critical information in debug mode

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.3
  • Exploit type: Information Disclosure
  • Reported Date: 2022-10-13
  • Fixed Date: 2022-10-25
  • CVE Number: CVE-2022-27912

Description

Joomla 4 sites with publicly enabled debug mode exposed data of previous requests.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.3

Solution

Upgrade to version 4.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Peter Martin

[20220801] - Core - Multiple Full Path Disclosures because of missing '_JEXEC or die check'

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0
  • Exploit type: Path Disclosure
  • Reported Date: 2022-08-27
  • Fixed Date: 2022-08-30
  • CVE Number: CVE-2022-27911

Description

Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes done in 4.2.0. According to PROD2020/023 and in coordination with the JSST this has been patched in the public tracker vis #38615

Affected Installs

Joomla! CMS versions 4.2.0

Solution

Upgrade to version 4.2.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: SharkyKZ

[20220301] - Core - Zip Slip within the Tar extractor

  • Project: Joomla! / Joomla! Framework
  • SubProject: CMS / archive
  • Impact: Moderate
  • Severity: Low
  • Probability: Low
  • Versions: 3.0.0 - 3.10.6 & 4.0.0 - 4.1.0
  • Exploit type: Path Traversal
  • Reported Date: 2022-02-20
  • Fixed Date: 2022-03-29
  • CVE Number: CVE-2022-23793

Description

Extracting an specifilcy crafted tar package could write files outside of the intended path.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.10.6 & 4.0.0 - 4.1.0

Solution

Upgrade to version 3.10.7 or 4.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Egidio Romano

Page 3 of 13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.