Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.
[20140301] - Core - SQL Injection
- Project: Joomla!
- SubProject: CMS
- Severity: High
- Versions: 3.1.0 through 3.2.2
- Exploit type: SQL Injection
- Reported Date: 2014-February-06
- Fixed Date: 2014-March-06
Description
Inadequate escaping leads to SQL injection vulnerability.
Affected Installs
Joomla! CMS versions 3.1.0 through 3.2.2
Solution
Upgrade to version 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20140302] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 3.1.2 through 3.2.2
- Exploit type: XSS Vulnerability
- Reported Date: 2014-March-04
- Fixed Date: 2014-March-06
Description
Inadequate escaping leads to XSS vulnerability in com_contact.
Affected Installs
Joomla! CMS versions 3.1.2 through 3.2.2
Solution
Upgrade to version 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20140303] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
- Exploit type: XSS Vulnerability
- Reported Date: 2014-March-05
- Fixed Date: 2014-March-06
Description
Inadequate escaping leads to XSS vulnerability.
Affected Installs
Joomla! CMS versions 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
Solution
Upgrade to version 2.5.19 or 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20140304] - Core - Unauthorised Logins
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
- Exploit type: Unauthorised Logins
- Reported Date: 2014-February-21
- Fixed Date: 2014-March-06
Description
Inadequate checking allowed unauthorised logins via GMail authentication.
Affected Installs
Joomla! CMS versions 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
Solution
Upgrade to version 2.5.19 or 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20131103] Core XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-October-26
- Fixed Date: 2013-November-06
Description
Inadequate filtering leads to XSS vulnerability in com_contact.
Affected Installs
Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.16, 3.1.6 or 3.2.
Contact
The JSST at the Joomla! Security Centre.
[20131102] Core XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-October-06
- Fixed Date: 2013-November-06
Description
Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds.
Affected Installs
Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.16, 3.1.6 or 3.2.
Contact
The JSST at the Joomla! Security Centre.
[20131101] Core XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: High
- Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-October-25
- Fixed Date: 2013-November-06
Description
Inadequate filtering leads to XSS vulnerability in com_contact.
Affected Installs
Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.16, 3.1.6 or 3.2.
Contact
The JSST at the Joomla! Security Centre.
[20130801] - Core - Unauthorised Uploads
- Project: Joomla!
- SubProject: All
- Severity: Critical
- Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
- Exploit type: Unauthorised Uploads
- Reported Date: 2013-June-25
- Fixed Date: 2013-July-31
- CVE Number: Pending
Description
Inadequate filtering leads to the ability to bypass file type upload restrictions.
Affected Installs
Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions.
Solution
Upgrade to version 2.5.14 or 3.1.5.
Contact
The JSST at the Joomla! Security Centre.
[20130405] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-February-26
- Fixed Date: 2013-April-24
- CVE Number: CVE-2013-3059
Description
Inadequate filtering leads to XSS vulnerability in Voting plugin.
Affected Installs
Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.10, 3.1.0 or 3.0.4.
Contact
The JSST at the Joomla! Security Center.
[20130403] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-March-9
- Fixed Date: 2013-April-24
- CVE Number: CVE-2013-3058
Description
Inadequate filtering allows possibility of XSS exploit in some circumstances.
Affected Installs
Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.10, 3.1.0 or 3.0.4.
Contact
The JSST at the Joomla! Security Center.