• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • Documentation
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • Developer Network
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20220309] - Core - XSS attack vector through SVG

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0 - 4.1.0
  • Exploit type: XSS
  • Reported Date: 2021-08-25
  • Fixed Date: 2022-03-29
  • CVE Number: CVE-2022-23801

Description

Possible XSS attack vector through SVG embedding in com_media.

Affected Installs

Joomla! CMS versions 4.0.0 - 4.1.0

Solution

Upgrade to version 4.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Julia Polner, Simon Stockhause

[20210801] - Core - Insufficient access control for com_media deletion endpoint

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: High
  • Versions: 4.0.0
  • Exploit type: Incorrect Access Control
  • Reported Date: 2021-08-20
  • Fixed Date: 2021-08-24
  • CVE Number: CVE-2021-26040

Description

The media manager does not correctly check the user's permissions before executing a file deletion command.

Affected Installs

Joomla! CMS versions 4.0.0

Solution

Upgrade to version 4.0.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Maverick

[20210705] - Core - XSS in com_media imagelist

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0 - 3.9.27
  • Exploit type: XSS
  • Reported Date: 2021-06-22
  • Fixed Date: 2021-07-06
  • CVE Number: CVE-2021-26039

Description

Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.27

Solution

Upgrade to version 3.9.28

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hagai Wechsler / WhiteSourceSoftware

[20210704] - Core - Privilege escalation through com_installer

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 2.5.0 - 3.9.27
  • Exploit type: Incorrect Access Control
  • Reported Date: 2021-06-06
  • Fixed Date: 2021-07-06
  • CVE Number: CVE-2021-26038

Description

Install action in com_installer lack the required hardcoded ACL checks for superusers, leading to various potential attack vectors. A default system is not affected cause by default com_installer is limited to super users already.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.27

Solution

Upgrade to version 3.9.28

Contact

The JSST at the Joomla! Security Centre.

Reported By: Nicholas Dionysopoulos

[20210703] - Core - Lack of enforced session termination

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0 - 3.9.27
  • Exploit type: Incorrect Session Handling
  • Reported Date: 2019-02-08
  • Fixed Date: 2021-07-06
  • CVE Number: CVE-2021-26037

Description

Various CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.27

Solution

Upgrade to version 3.9.28

Contact

The JSST at the Joomla! Security Centre.

Reported By: Carsten Schmitz, Atik Islam, Dennis Hermatski, Muhammad Hussain, th3lawbreaker, Hoang Kien

[20210702] - Core - DoS through usergroup table manipulation

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 - 3.9.27
  • Exploit type: DoS
  • Reported Date: 2021-06-08
  • Fixed Date: 2021-07-06
  • CVE Number: CVE-2021-26036

Description

Missing validation of input could lead to a broken usergroups table.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.27

Solution

Upgrade to version 3.9.28

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Kien from VSEC

[20210701] - Core - XSS in JForm Rules field

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 - 3.9.27
  • Exploit type: XSS
  • Reported Date: 2021-05-29
  • Fixed Date: 2021-07-06
  • CVE Number: CVE-2021-26035

Description

Inadequate escaping in the Rules field of the JForm API leads to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.27

Solution

Upgrade to version 3.9.28

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hoang Nguyen

[20210503] - Core - CSRF in data download endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 - 3.9.26
  • Exploit type: CSRF
  • Reported Date: 2021-05-07
  • Fixed Date: 2021-05-25
  • CVE Number: CVE-2021-26034

Description

A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.26

Solution

Upgrade to version 3.9.27

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

[20210502] - Core - CSRF in AJAX reordering endpoint

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 - 3.9.26
  • Exploit type: CSRF
  • Reported Date: 2021-05-07
  • Fixed Date: 2021-05-25
  • CVE Number: CVE-2021-26033

Description

A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.26

Solution

Upgrade to version 3.9.27

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.0.0 - 3.9.26
  • Exploit type: XSS
  • Reported Date: 2021-03-05
  • Fixed Date: 2021-05-25
  • CVE Number: CVE-2021-26032

Description

HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.26

Solution

Upgrade to version 3.9.27

Contact

The JSST at the Joomla! Security Centre.

Reported By: Adrian Tiron, Fortbridge

Page 5 of 28

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 5 5.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 2.x
  • Development Status

Resources

  • Development Strategy
  • Security Announcements
  • Report Security Issues
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Twitter
  • Joomla! on Facebook
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • Docs
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in

© 2005 - 2025 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.