This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
Joomla! CMS versions 3.9.0 - 3.9.19
Upgrade to version 3.9.20
The JSST at the Joomla! Security Centre.
Missing validation checks at the usergroups table object can result into an broken site configuration.
Joomla! CMS versions 2.5.0 - 3.9.19
Upgrade to version 3.9.20
The JSST at the Joomla! Security Centre.
A missing token check in the ajax_install endpoint com_installer causes a CSRF vulnerability.
Joomla! CMS versions 3.7.0 - 3.9.19
Upgrade to version 3.9.20
The JSST at the Joomla! Security Centre.
Missing token checks in com_postinstall cause CSRF vulnerabilities.
Joomla! CMS versions 3.7.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others."
The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.
Joomla! CMS versions 3.0.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
Incorrect input validation of the module tag option in com_modules allow XSS attacks.
Joomla! CMS versions 3.0.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.
Joomla! CMS versions 2.5.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.
Joomla! CMS versions 3.0.0 - 3.9.18
Upgrade to version 3.9.19
The JSST at the Joomla! Security Centre.
Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
Joomla! CMS versions 2.5.0 - 3.9.16
Upgrade to version 3.9.17
The JSST at the Joomla! Security Centre.
Inproper input validations in the usergroup table class could lead to a broken ACL configuration.
Joomla! CMS versions 2.5.0 - 3.9.16
Upgrade to version 3.9.17
The JSST at the Joomla! Security Centre.