This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
Joomla! CMS versions 2.5.0 - 3.9.13
Upgrade to version 3.9.14
The JSST at the Joomla! Security Centre.
Missing access check in framework files could lead to a path disclosure.
Joomla! CMS versions 3.8.0 - 3.9.13
Upgrade to version 3.9.14
The JSST at the Joomla! Security Centre.
Missing access check in the phputf8 mapping files could lead to an path disclosure.
Joomla! CMS versions 3.6.0 - 3.9.12
Upgrade to version 3.9.13
The JSST at the Joomla! Security Centre.
A missing token check in com_template causes a CSRF vulnerability.
Joomla! CMS versions 3.2.0 - 3.9.12
Upgrade to version 3.9.13
The JSST at the Joomla! Security Centre.
Inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
Joomla! CMS versions 3.0.0 - 3.9.11
Upgrade to version 3.9.12
The JSST at the Joomla! Security Centre.
Inadequate checks in com_contact could allowed mail submission in disabled forms.
Joomla! CMS versions 1.6.2 - 3.9.10
Upgrade to version 3.9.11
The JSST at the Joomla! Security Centre.
Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
Joomla! CMS versions 3.9.7 - 3.9.8
Upgrade to version 3.9.9
The JSST at the Joomla! Security Centre.
The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
Joomla! CMS versions 3.8.13 through 3.9.6
Upgrade to version 3.9.7
The JSST at the Joomla! Security Centre.
The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors.
Joomla! CMS versions 3.6.0 through 3.9.6
Upgrade to version 3.9.7
The JSST at the Joomla! Security Centre.
The CSV export of com_actionslogs is vulnerable to CSV injection.
Joomla! CMS versions 3.9.0 through 3.9.6
Upgrade to version 3.9.7
The JSST at the Joomla! Security Centre.