Security

Security Announcements

    • Project: Joomla! / Joomla! Framework
    • SubProject: CMS / filter
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Moderate
    • Versions: 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: XSS
    • Reported Date: 2023-11-22
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21726

    Description

    Inadequate content filtering leads to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: High
    • Probability: High
    • Versions: 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: XSS
    • Reported Date: 2024-01-30
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21725

    Description

    Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Moderate
    • Versions: 1.6.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: XSS
    • Reported Date: 2024-01-09
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21724

    Description

    Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

    Affected Installs

    Joomla! CMS versions 1.6.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions: 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: Open Redirect
    • Reported Date: 2023-11-08
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21723

    Description

    Inadequate parsing of URLs could result into an open redirect.

    Affected Installs

    Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions: 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: Insufficient Session Expiration
    • Reported Date: 2023-11-29
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21722

    Description

    The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

    Affected Installs

    Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: High
    • Probability: Low
    • Versions:1.6.0-4.4.0, 5.0.0
    • Exploit type: Information Disclosure
    • Reported Date: 2023-07-14
    • Fixed Date: 2023-11-21
    • CVE Number: CVE-2023-40626

    Description

    The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

    Affected Installs

    Joomla! CMS versions 1.6.0-4.4.0, 5.0.0

    Solution

    Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

    Contact

    The JSST at the Joomla! Security Centre.

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Critical
    • Severity: Moderate
    • Probability: Low
    • Versions:4.2.0-4.3.1
    • Exploit type: Lack of rate limiting
    • Reported Date: 2023-04-29
    • Fixed Date: 2023-05-30
    • CVE Number: CVE-2023-23755

    Description

    The lack of rate limiting allows brute force attacks against MFA methods.

    Affected Installs

    Joomla! CMS versions 4.2.0-4.3.1

    Solution

    Upgrade to version 4.3.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Phil Taylor
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions:4.2.0-4.3.1
    • Exploit type: Open Redirect / XSS
    • Reported Date: 2023-02-28
    • Fixed Date: 2023-05-28
    • CVE Number: CVE-2023-23754

    Description

    Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

    Affected Installs

    Joomla! CMS versions 4.2.0-4.3.1

    Solution

    Upgrade to version 4.3.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Srpopty from huntr.dev
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Critical
    • Severity: High
    • Probability: High
    • Versions:4.0.0-4.2.7
    • Exploit type: Incorrect Access Control
    • Reported Date: 2023-02-13
    • Fixed Date: 2023-02-16
    • CVE Number: CVE-2023-23752

    Description

    An improper access check allows unauthorized access to webservice endpoints.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.2.7

    Solution

    Upgrade to version 4.2.8

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Zewei Zhang from NSFOCUS TIANJI Lab
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions:4.0.0-4.2.4
    • Exploit type: Reflexted XSS
    • Reported Date: 2022-10-28
    • Fixed Date: 2022-11-08
    • CVE Number: CVE-2022-27914

    Description

    Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media..

    Affected Installs

    Joomla! CMS versions 4.0.0-4.2.4

    Solution

    Upgrade to version 4.2.5

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:https://github.com/Denitz