Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader or email notifications via FeedBurner.
[20140904] - Core - Denial of Service
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
- Exploit type: Denial of Service
- Reported Date: 2014-September-24
- Fixed Date: 2014-September-30
- CVE Number: CVE-2014-7229
Description
Inadequate checking allowed the potential for a denial of service attack.
Affected Installs
Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Solution
Upgrade to version 2.5.26, 3.2.6, or 3.3.5
Contact
The JSST at the Joomla! Security Centre.
[20140903] - Core - Remote File Inclusion
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
- Exploit type: Remote File Inclusion
- Reported Date: 2014-September-24
- Fixed Date: 2014-September-30
- CVE Number: CVE-2014-7228
Description
Inadequate checking allowed the potential for remote files to be executed.
Affected Installs
Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4
Solution
Upgrade to version 2.5.26, 3.2.6, or 3.3.5
Additional Details
Please refer to AkeebaBackup.com for additional details.
Contact
The JSST at the Joomla! Security Centre.
[20140902] - Core - Unauthorised Logins
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 through 3.3.3
- Exploit type: Unauthorised Logins
- Reported Date: 2014-September-09
- Fixed Date: 2014-September-23
- CVE Number: CVE-2014-6632
Description
Inadequate checking allowed unauthorised logins via LDAP authentication.
Affected Installs
Joomla! CMS versions 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 through 3.3.3
Solution
Upgrade to version 2.5.25, 3.2.5, or 3.3.4
Contact
The JSST at the Joomla! Security Centre.
[20140901] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 3.2.0 through 3.2.4, 3.3.0 through 3.3.3
- Exploit type: XSS Vulnerability
- Reported Date: 2014-August-27
- Fixed Date: 2014-September-23
- CVE Number: CVE-2014-6631
Description
Inadequate escaping leads to XSS vulnerability in com_media.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.2.4 and 3.3.0 through 3.3.3
Solution
Upgrade to version 3.2.5 or 3.3.4
Contact
The JSST at the Joomla! Security Centre.
[20140301] - Core - SQL Injection
- Project: Joomla!
- SubProject: CMS
- Severity: High
- Versions: 3.1.0 through 3.2.2
- Exploit type: SQL Injection
- Reported Date: 2014-February-06
- Fixed Date: 2014-March-06
Description
Inadequate escaping leads to SQL injection vulnerability.
Affected Installs
Joomla! CMS versions 3.1.0 through 3.2.2
Solution
Upgrade to version 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20140302] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 3.1.2 through 3.2.2
- Exploit type: XSS Vulnerability
- Reported Date: 2014-March-04
- Fixed Date: 2014-March-06
Description
Inadequate escaping leads to XSS vulnerability in com_contact.
Affected Installs
Joomla! CMS versions 3.1.2 through 3.2.2
Solution
Upgrade to version 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20140303] - Core - XSS Vulnerability
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
- Exploit type: XSS Vulnerability
- Reported Date: 2014-March-05
- Fixed Date: 2014-March-06
Description
Inadequate escaping leads to XSS vulnerability.
Affected Installs
Joomla! CMS versions 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
Solution
Upgrade to version 2.5.19 or 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20140304] - Core - Unauthorised Logins
- Project: Joomla!
- SubProject: CMS
- Severity: Moderate
- Versions: 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
- Exploit type: Unauthorised Logins
- Reported Date: 2014-February-21
- Fixed Date: 2014-March-06
Description
Inadequate checking allowed unauthorised logins via GMail authentication.
Affected Installs
Joomla! CMS versions 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions
Solution
Upgrade to version 2.5.19 or 3.2.3
Contact
The JSST at the Joomla! Security Centre.
[20131103] Core XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-October-26
- Fixed Date: 2013-November-06
Description
Inadequate filtering leads to XSS vulnerability in com_contact.
Affected Installs
Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.16, 3.1.6 or 3.2.
Contact
The JSST at the Joomla! Security Centre.
[20131102] Core XSS Vulnerability
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-October-06
- Fixed Date: 2013-November-06
Description
Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds.
Affected Installs
Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.16, 3.1.6 or 3.2.
Contact
The JSST at the Joomla! Security Centre.