This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.
Joomla! CMS versions 2.5.0 - 3.10.6 & 4.0.0 - 4.1.0
Upgrade to version 3.10.7 & 4.1.1
The JSST at the Joomla! Security Centre.
Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
Joomla! CMS versions 4.0.0 - 4.1.0
Upgrade to version 4.1.1
The JSST at the Joomla! Security Centre.
Inadequate content filtering leads to XSS vulnerabilities in various components.
Joomla! CMS versions 4.0.0 - 4.1.0
Upgrade to version 4.1.1
The JSST at the Joomla! Security Centre.
Possible XSS attack vector through SVG embedding in com_media.
Joomla! CMS versions 4.0.0 - 4.1.0
Upgrade to version 4.1.1
The JSST at the Joomla! Security Centre.
The media manager does not correctly check the user's permissions before executing a file deletion command.
Joomla! CMS versions 4.0.0
Upgrade to version 4.0.1
The JSST at the Joomla! Security Centre.
Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.
Joomla! CMS versions 3.0.0 - 3.9.27
Upgrade to version 3.9.28
The JSST at the Joomla! Security Centre.
Install action in com_installer lack the required hardcoded ACL checks for superusers, leading to various potential attack vectors. A default system is not affected cause by default com_installer is limited to super users already.
Joomla! CMS versions 2.5.0 - 3.9.27
Upgrade to version 3.9.28
The JSST at the Joomla! Security Centre.
Various CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
Joomla! CMS versions 2.5.0 - 3.9.27
Upgrade to version 3.9.28
The JSST at the Joomla! Security Centre.
Missing validation of input could lead to a broken usergroups table.
Joomla! CMS versions 2.5.0 - 3.9.27
Upgrade to version 3.9.28
The JSST at the Joomla! Security Centre.
Inadequate escaping in the Rules field of the JForm API leads to a XSS vulnerability.
Joomla! CMS versions 3.0.0 - 3.9.27
Upgrade to version 3.9.28
The JSST at the Joomla! Security Centre.