Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.
[20151205] - Session - Remote Code Execution Vulnerability
- Project: Joomla! Framework
- SubProject: Session
- Severity: High
- Versions: 1.0.0 through 1.3.0
- Exploit type: Remote Code Execution
- Reported Date: 2015-December-13
- Fixed Date: 2015-December-14
- CVE Number: CVE-2015-8566
Description
Browser information is not filtered properly while saving the session values which leads to a Remote Code Execution vulnerability.
Affected Versions
Joomla! Framework Session package versions 1.0.0 through 1.3.0
Solution
Upgrade to version 1.3.1
Contact
The JSST at the Joomla! Security Centre.
[20151202] - Core - CSRF Hardening
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.2.0 through 3.4.5
- Exploit type: CSRF
- Reported Date: 2015-November-26
- Fixed Date: 2015-December-14
- CVE Number: CVE-2015-8563
Description
Add additional CSRF hardening in com_templates.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.4.5
Solution
Upgrade to version 3.4.6
Contact
The JSST at the Joomla! Security Centre.
[20151203] - Core - Directory Traversal
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.4.0 through 3.4.5
- Exploit type: Directory Traversal
- Reported Date: 2015-November-26
- Fixed Date: 2015-December-14
- CVE Number: CVE-2015-8564
Description
Failure to properly sanitise input data from the XML install file located within an extension's package archive allows for directory traversal.
Affected Installs
Joomla! CMS versions 3.4.0 through 3.4.5
Solution
Upgrade to version 3.4.6
Contact
The JSST at the Joomla! Security Centre.
[20151204] - Core - Directory Traversal
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.2.0 through 3.4.5
- Exploit type: Directory Traversal
- Reported Date: 2015-November-26
- Fixed Date: 2015-December-14
- CVE Number: CVE-2015-8565
Description
Inadequate filtering of request data leads to a Directory Traversal vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.4.5
Solution
Upgrade to version 3.4.6
Contact
The JSST at the Joomla! Security Centre.
[20151001] - Core - SQL Injection
- Project: Joomla!
- SubProject: CMS
- Severity: High
- Versions: 3.2.0 through 3.4.4
- Exploit type: SQL Injection
- Reported Date: 2015-October-15
- Fixed Date: 2015-October-22
- CVE Numbers: CVE-2015-7297, CVE-2015-7857, CVE-2015-7858
Description
Inadequate filtering of request data leads to a SQL Injection vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.4.4
Solution
Upgrade to version 3.4.5
Contact
The JSST at the Joomla! Security Centre.
[20151002] - Core - ACL Violations
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 3.2.0 through 3.4.4
- Exploit type: ACL Violation
- Reported Date: 2015-October-15
- Fixed Date: 2015-October-22
- CVE Number: CVE-2015-7859
Description
Inadequate ACL checks in com_contenthistory provide potential read access to data which should be access restricted.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.4.4
Solution
Upgrade to version 3.4.5
Contact
The JSST at the Joomla! Security Centre.
[20150908] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.4.0 through 3.4.3
- Exploit type: XSS Vulnerability
- Reported Date: 2015-August-18
- Fixed Date: 2015-September-08
- CVE Number: CVE-2015-6939
Description
Inadequate escaping leads to XSS vulnerability in login module.
Affected Installs
Joomla! CMS versions 3.4.0 through 3.4.3
Solution
Upgrade to version 3.4.4
Contact
The JSST at the Joomla! Security Centre.
[20150602] - Core - CSRF Protection
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.2.0 through 3.4.1
- Exploit type: CSRF Protection
- Reported Date: 2015-April-06
- Fixed Date: 2015-June-30
- CVE Number: CVE-2015-5397
Description
Lack of CSRF checks potentially enabled uploading malicious code.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.4.1
Solution
Upgrade to version 3.4.2
Contact
The JSST at the Joomla! Security Centre.
[20150601] - Core - Open Redirect
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.0.0 through 3.4.1
- Exploit type: Open Redirect
- Reported Date: 2015-April-08
- Fixed Date: 2015-June-30
- CVE Number: CVE-2015-5608
Description
Inadequate checking of the return value allowed to redirect to an external page.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.4.1
Solution
Upgrade to version 3.4.2
Contact
The JSST at the Joomla! Security Centre.
[20140904] - Core - Denial of Service
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
- Exploit type: Denial of Service
- Reported Date: 2014-September-24
- Fixed Date: 2014-September-30
- CVE Number: CVE-2014-7229
Description
Inadequate checking allowed the potential for a denial of service attack.
Affected Installs
Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Solution
Upgrade to version 2.5.26, 3.2.6, or 3.3.5
Contact
The JSST at the Joomla! Security Centre.