This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
Joomla! CMS versions 3.8.8 - 3.9.16
Upgrade to version 3.9.17
The JSST at the Joomla! Security Centre.
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.
Joomla! CMS versions 1.7.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.
Joomla! CMS versions 3.0.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
Joomla! CMS versions 3.7.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
Joomla! CMS versions 2.5.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.
Joomla! CMS versions 3.0.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Missing token checks in the image actions of com_templates causes CSRF vulnerabilities.
Joomla! CMS versions 3.2.0 - 3.9.15
Upgrade to version 3.9.16
The JSST at the Joomla! Security Centre.
Inadequate escaping of usernames allow XSS attacks in com_actionlogs.
Joomla! CMS versions 3.9.0 - 3.9.14
Upgrade to version 3.9.15
The JSST at the Joomla! Security Centre.
A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
Joomla! CMS versions 3.0.0 - 3.9.14
Upgrade to version 3.9.15
The JSST at the Joomla! Security Centre.
Missing token checks in the batch actions of various components causes CSRF vulnerabilities.
Joomla! CMS versions 3.0.0 - 3.9.14
Upgrade to version 3.9.15
The JSST at the Joomla! Security Centre.