Joomla! Security Announcements
Cum sociis natoque penatibus et ultrices volutpat. Nullam wisi ultricies a, gravida vitae, dapibus risus ante sodales lectus blandit eu, tempor diam pede cursus vitae, ultricies eu, faucibus quis, porttitor eros cursus lectus, pellentesque eget, bibendum a, gravida ullamcorper quam. Nullam viverra consectetuer.
-
[20201107] - Core - Write ACL violation in multiple core views
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions:1.7.0 - 3.9.22
- Exploit type: ACL Violation
- Reported Date: 2018-11-04
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35616
Description
Lack of input validation while handling ACL rulesets can cause write ACL violations.
Affected Installs
Joomla! CMS versions 1.7.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: Elisa Foltyn, Benjamin Trenkle -
[20201106] - Core - CSRF in com_privacy emailexport feature
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.9.0-3.9.22
- Exploit type: CSRF
- Reported Date: 2020-10-08
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35615
Description
A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: Lee Thao from Viettel Cyber Security -
[20201105] - Core - User Enumeration in backend login
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.9.0-3.9.22
- Exploit type: User Enumeration
- Reported Date: 2020-08-15
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35614
Description
Improper handling of the username leads to a user enumeration attack vector in the backend login page.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor -
[20201104] - Core - SQL injection in com_users list view
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions: 3.0.0-3.9.22
- Exploit type: SQL Injection
- Reported Date: 2020-10-13
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35613
Description
Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: ka1n4t -
[20201103] - Core - Path traversal in mod_random_image
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0-3.9.22
- Exploit type: Path traversal
- Reported Date: 2020-10-06
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35612
Description
The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: Lee Thao from Viettel Cyber Security, Phil Taylor