This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
In Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core. In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. The used implementation however is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Joomla! CMS versions 3.9.3 through 3.9.5
Upgrade to version 3.9.6
The JSST at the Joomla! Security Centre.
The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
Joomla! CMS versions 1.7.0 through 3.9.5
Upgrade to version 3.9.6
The JSST at the Joomla! Security Centre.
The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks.
Joomla! CMS versions 3.0.0 through 3.9.4
Upgrade to version 3.9.5
The JSST at the Joomla! Security Centre.
The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
Joomla! CMS versions 3.2.0 through 3.9.4
Upgrade to version 3.9.5
The JSST at the Joomla! Security Centre.
The Media Manager component does not properly sanitise the folder parameter, allowing attackers to act outside the media manager root directory.
Joomla! CMS versions 1.5.0 through 3.9.4
Upgrade to version 3.9.5
The JSST at the Joomla! Security Centre.
The sample data plugins lack ACL checks, allowing unauthorized access.
Joomla! CMS versions 3.8.0 through 3.9.3
Upgrade to version 3.9.4
The JSST at the Joomla! Security Centre.
The media form field lacks escaping, leading to a XSS vulnerability.
Joomla! CMS versions 3.2.0 through 3.9.3
Upgrade to version 3.9.4
The JSST at the Joomla! Security Centre.
The item_title layout in edit views lacks escaping, leading to a XSS vulnerability.
Joomla! CMS versions 3.2.0 through 3.9.3
Upgrade to version 3.9.4
The JSST at the Joomla! Security Centre.
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
Joomla! CMS versions 3.2.0 through 3.9.3
Upgrade to version 3.9.4
The JSST at the Joomla! Security Centre.
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
Joomla! CMS versions 2.5.0 through 3.9.2
Upgrade to version 3.9.3
The JSST at the Joomla! Security Centre.