[20201102] - Core - Disclosure of secrets in Global Configuration page

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 2.5.0-3.9.22
Exploit type: Information Disclosure
Reported Date: 2020-09-23
Fixed Date: 2020-11-24
CVE Number: CVE-2020-35611

Description

The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By: Corch