Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

  • Project: Joomla!
  • SubProject: Framework
  • Impact: High
  • Severity: Low
  • Probability: Low
  • Versions: 1.0.0-2.1.1, 3.0.0-3.3.1
  • Exploit type: SQL Injection
  • Reported Date: 2025-03-17
  • Fixed Date: 2025-04-02
  • CVE Number: CVE-2025-25226

Description

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package.

Affected Installs

Database Package version: 1.0.0-2.1.1, 3.0.0-3.3.1

Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

Solution

Upgrade to version 2.2.0 or 3.4.0

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Nicholas K. Dionysopoulos, akeeba.com

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
  • Exploit type: Authentication Bypass
  • Reported Date: 2025-03-20
  • Fixed Date: 2025-04-08
  • CVE Number: CVE-2025-25227

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5

Solution

Upgrade to version 4.4.13 or 5.2.6

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Undisclosed Reporter

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.4.11, 5.0.0-5.2.4
  • Exploit type: Malicious file upload
  • Reported Date: 2025-02-25
  • Fixed Date: 2025-03-10
  • CVE Number: CVE-2025-22213

Description

Inadequate checks in the Media Manager allowed users with "edit" privileges to create executable PHP files.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.11, 5.0.0-5.2.4

Solution

Upgrade to version 4.4.12 or 5.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ErPaciocco

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
  • Exploit type: ACL Violation
  • Reported Date: 2024-08-26
  • Fixed Date: 2025-01-07
  • CVE Number: CVE-2024-40749

Description

Improper Access Controls allows access to protected views.

Affected Installs

Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

Solution

Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Dominik Ziegelmüller

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Probability: Low
  • Versions: 4.1.0-4.4.10, 5.0.0-5.2.3
  • Exploit type: SQL Injection
  • Reported Date: 2024-12-10
  • Fixed Date: 2025-02-18
  • CVE Number: CVE-2025-22207

Description

Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler

Affected Installs

Joomla! CMS versions 4.1.0-4.4.10, 5.0.0-5.2.3

Solution

Upgrade to version 4.4.11 or 5.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Calum Hutton, snyk.io

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
  • Exploit type: XSS
  • Reported Date: 2024-09-19
  • Fixed Date: 2025-01-07
  • CVE Number: CVE-2024-40748

Description

Lack of output escaping in the id attribute of menu lists.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

Solution

Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lokesh Dachepalli

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-4.4.9, 5.0.0-5.2.2
  • Exploit type: XSS
  • Reported Date: 2024-08-29
  • Fixed Date: 2025-01-07
  • CVE Number: CVE-2024-40747

Description

Various module chromes didn't properly process inputs, leading to XSS vectors.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2

Solution

Upgrade to version 4.4.10 or 5.2.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Catalin Iovita

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-40743

Description

The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27187

Description

Improper Access Controls allows backend users to overwrite their username when disallowed.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elysee Franchuk

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27186

Description

The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elysee Franchuk

Page 1 of 28