Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.
[20180504] - Core - Installer leaks plain text password to local user
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0 through 3.8.7
- Exploit type: Information Disclosure
- Reported Date: 2018-February-09
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11325
Description
The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
[20180503] - Core - Information Disclosure about unpublished tags
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Versions: 3.1.0 through 3.8.7
- Exploit type: Information Disclosure
- Reported Date: 2018-April-27
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11327
Description
Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission .
Affected Installs
Joomla! CMS versions 3.1.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
[20180502] - Core - Add PHAR files to the upload blacklist
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0 through 3.8.7
- Exploit type: Malicious file upload
- Reported Date: 2018-March-14
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11322
Description
Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
[20180501] - Core - ACL violation in access levels
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 2.5.0 through 3.8.7
- Exploit type: ACL violation
- Reported Date: 2018-March-08
- Fixed Date: 2018-May-22
- CVE Number: CVE-2018-11323
Description
Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
[20180301] - Core - SQLi vulnerability User Notes
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.5.0 through 3.8.5
- Exploit type: SQLi
- Reported Date: 2018-March-08
- Fixed Date: 2018-March-12
- CVE Number: CVE-2018-8045
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view
Affected Installs
Joomla! CMS versions 3.5.0 through 3.8.5
Solution
Upgrade to version 3.8.6
Contact
The JSST at the Joomla! Security Centre.
[20180104] - Core - SQLi vulnerability in Hathor postinstall message
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.7.0 through 3.8.3
- Exploit type: SQLi
- Reported Date: 2017-November-17
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6376
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
[20180103] - Core - XSS vulnerability in Uri class
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 1.5.0 through 3.8.3
- Exploit type: XSS
- Reported Date: 2017-November-17
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6379
Description
Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
[20180102] - Core - XSS vulnerability in com_fields
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.7.0 through 3.8.3
- Exploit type: XSS
- Reported Date: 2018-January-20
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6377
Description
Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
[20180101] - Core - XSS vulnerability in module chromes
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0 through 3.8.3
- Exploit type: XSS
- Reported Date: 2018-January-21
- Fixed Date: 2018-January-30
- CVE Number: CVE-2018-6380
Description
Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
[20171103] - Core - Information Disclosure
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.7.0 through 3.8.1
- Exploit type: Information Disclosure
- Reported Date: 2017-May-17
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-16633
Description
A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.