• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • Documentation
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • Developer Network
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 1.6.0 - 3.9.24
  • Exploit type: ACL Violation
  • Reported Date: 2021-01-31
  • Fixed Date: 2021-03-02
  • CVE Number: CVE-2021-26029

Description

Inadequate filtering of form contents could allow to overwrite the author field. The affected core components are com_fields, com_categories, com_banners, com_contact, com_newsfeeds and com_tags. 

Affected Installs

Joomla! CMS versions 1.6.0 - 3.9.24

Solution

Upgrade to version 3.9.25

Contact

The JSST at the Joomla! Security Centre.

Reported By: DangKhai from Viettel Cyber Security

[20210103] - Core - XSS in com_tags image parameters

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions:3.1.0 - 3.9.23
  • Exploit type: XSS
  • Reported Date: 2020-09-01
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23125

Description

Lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.

Affected Installs

Joomla! CMS versions 3.1.0 - 3.9.23

Solution

Upgrade to version 3.9.24

Contact

The JSST at the Joomla! Security Centre.

Reported By: Šarūnas Paulauskas

[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions:3.9.0 - 3.9.23
  • Exploit type: XSS
  • Reported Date: 2020-09-01
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23124

Description

Lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.23

Solution

Upgrade to version 3.9.24

Contact

The JSST at the Joomla! Security Centre.

Reported By: Šarūnas Paulauskas

[20210101] - Core - com_modules exposes module names

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions:3.0.0 - 3.9.23
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-07-07
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23123

Description

Lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.23

Solution

Upgrade to version 3.9.24

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

[20201107] - Core - Write ACL violation in multiple core views

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions:1.7.0 - 3.9.22
  • Exploit type: ACL Violation
  • Reported Date: 2018-11-04
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35616

Description

Lack of input validation while handling ACL rulesets can cause write ACL violations.

Affected Installs

Joomla! CMS versions 1.7.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elisa Foltyn, Benjamin Trenkle

[20201106] - Core - CSRF in com_privacy emailexport feature

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0-3.9.22
  • Exploit type: CSRF
  • Reported Date: 2020-10-08
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35615

Description

A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lee Thao from Viettel Cyber Security

[20201105] - Core - User Enumeration in backend login

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0-3.9.22
  • Exploit type: User Enumeration
  • Reported Date: 2020-08-15
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35614

Description

Improper handling of the username leads to a user enumeration attack vector in the backend login page.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20201104] - Core - SQL injection in com_users list view

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.0.0-3.9.22
  • Exploit type: SQL Injection
  • Reported Date: 2020-10-13
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35613

Description

Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ka1n4t

[20201103] - Core - Path traversal in mod_random_image

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0-3.9.22
  • Exploit type: Path traversal
  • Reported Date: 2020-10-06
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35612

Description

The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lee Thao from Viettel Cyber Security, Phil Taylor

[20201102] - Core - Disclosure of secrets in Global Configuration page

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0-3.9.22
  • Exploit type: Information Disclosure
  • Reported Date: 2020-09-23
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35611

Description

The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Corch

Page 7 of 28

  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 5 5.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 2.x
  • Development Status

Resources

  • Development Strategy
  • Security Announcements
  • Report Security Issues
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Twitter
  • Joomla! on Facebook
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • Docs
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in

© 2005 - 2025 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.