• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • Documentation
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • Developer Network
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20200403] - Core - Incorrect access control in com_users access level deletion function

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11889

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200402] - Core - Missing checks for the root usergroup in usergroup table

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-27
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11890

Description

Inproper input validations in the usergroup table class could lead to a broken ACL configuration.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200401] - Core - Incorrect access control in com_users access level editing function

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.8.8 - 3.9.16
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-March-13
  • Fixed Date: 2020-April-21
  • CVE Number: CVE-2020-11891

Description

Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.

Affected Installs

Joomla! CMS versions 3.8.8 - 3.9.16

Solution

Upgrade to version 3.9.17

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200306] - Core - SQL injection in Featured Articles menu parameters

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 1.7.0-3.9.15
  • Exploit type: SQL Injection
  • Reported Date: 2020-March-9
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10243

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.

Affected Installs

Joomla! CMS versions 1.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sam Thomas, Pentest.co.uk

[20200304] - Core - Identifier collisions in com_users

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: Other
  • Reported Date: 2020-February-07
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10240

Description

Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Lee Thao from Viettel Cyber Security

[20200305] - Core - Incorrect Access Control in com_fields SQL field

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-February-28
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10239

Description

Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

Affected Installs

Joomla! CMS versions 3.7.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200303] - Core - Incorrect Access Control in com_templates

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0-3.9.15
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-January-31
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10238

Description

Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200302] - Core - XSS in Protostar and Beez3

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0-3.9.15
  • Exploit type: XSS
  • Reported Date: 2020-February-24
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10242

Description

Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Pham Van Khanh

[20200301] - Core - CSRF in com_templates image actions

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.2.0-3.9.15
  • Exploit type: CSRF
  • Reported Date: 2020-February-06
  • Fixed Date: 2020-March-10
  • CVE Number: CVE-2020-10241

Description

Missing token checks in the image actions of com_templates causes CSRF vulnerabilities.

Affected Installs

Joomla! CMS versions 3.2.0 - 3.9.15

Solution

Upgrade to version 3.9.16

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20200103] - Core - XSS in com_actionlogs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.9.0-3.9.14
  • Exploit type: XSS
  • Reported Date: 2019-December-25
  • Fixed Date: 2020-January-28
  • CVE Number: CVE-2020-8421

Description

Inadequate escaping of usernames allow XSS attacks in com_actionlogs.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.14

Solution

Upgrade to version 3.9.15

Contact

The JSST at the Joomla! Security Centre.

Reported By: Mayank Kumbhar from Techjoomla

Page 7 of 25

  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 3 4.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 2.x
  • Development Status

Resources

  • Development Strategy
  • Security Announcements
  • Report Security Issues
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • en-GB User Interface Text Guidelines
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Twitter
  • Joomla! on Facebook
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Resources
  • Docs
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in

© 2005 - 2023 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.