Joomla! Developer Network™

Download
Launch

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 1.6.0-4.4.0, 5.0.0
  • Exploit type: Information Disclosure
  • Reported Date: 2023-07-14
  • Fixed Date: 2023-11-21
  • CVE Number: CVE-2023-40626

Description

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Contact

The JSST at the Joomla! Security Centre.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Lack of rate limiting
  • Reported Date: 2023-04-29
  • Fixed Date: 2023-05-30
  • CVE Number: CVE-2023-23755

Description

The lack of rate limiting allows brute force attacks against MFA methods.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0-4.3.1
  • Exploit type: Open Redirect / XSS
  • Reported Date: 2023-02-28
  • Fixed Date: 2023-05-28
  • CVE Number: CVE-2023-23754

Description

Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Affected Installs

Joomla! CMS versions 4.2.0-4.3.1

Solution

Upgrade to version 4.3.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Srpopty from huntr.dev

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: High
  • Probability: High
  • Versions: 4.0.0-4.2.7
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-02-13
  • Fixed Date: 2023-02-16
  • CVE Number: CVE-2023-23752

Description

An improper access check allows unauthorized access to webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.7

Solution

Upgrade to version 4.2.8

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Zewei Zhang from NSFOCUS TIANJI Lab

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.4
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-28
  • Fixed Date: 2022-11-08
  • CVE Number: CVE-2022-27914

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media..

Affected Installs

Joomla! CMS versions 4.0.0-4.2.4

Solution

Upgrade to version 4.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By: https://github.com/Denitz

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.6
  • Exploit type: CSRF
  • Reported Date: 2022-12-24
  • Fixed Date: 2023-01-31
  • CVE Number: CVE-2023-23750

Description

A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.6

Solution

Upgrade to version 4.2.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Faizan Wani

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.6
  • Exploit type: Incorrect Access Control
  • Reported Date: 2023-01-01
  • Fixed Date: 2023-01-31
  • CVE Number: CVE-2023-23751

Description

A missing ACL check allows non super-admin users to access com_actionlogs.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.6

Solution

Upgrade to version 4.2.7

Contact

The JSST at the Joomla! Security Centre.

Reported By: Faizan Wani

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.3
  • Exploit type: Reflexted XSS
  • Reported Date: 2022-10-07
  • Fixed Date: 2022-10-25
  • CVE Number: CVE-2022-27913

Description

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.3

Solution

Upgrade to version 4.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Ajith Menon

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.2.3
  • Exploit type: Information Disclosure
  • Reported Date: 2022-10-13
  • Fixed Date: 2022-10-25
  • CVE Number: CVE-2022-27912

Description

Joomla 4 sites with publicly enabled debug mode exposed data of previous requests.

Affected Installs

Joomla! CMS versions 4.0.0-4.2.3

Solution

Upgrade to version 4.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Peter Martin

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.2.0
  • Exploit type: Path Disclosure
  • Reported Date: 2022-08-27
  • Fixed Date: 2022-08-30
  • CVE Number: CVE-2022-27911

Description

Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes done in 4.2.0. According to PROD2020/023 and in coordination with the JSST this has been patched in the public tracker vis #38615

Affected Installs

Joomla! CMS versions 4.2.0

Solution

Upgrade to version 4.2.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: SharkyKZ

Page 1 of 26