The essential news about content management systems and mobile technology.
Powered by Joocial & JoomGap.
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 1.5.0 through 3.8.7
  • Exploit type: XSS
  • Reported Date: 2017-October-28
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-6378

Description

Inadequate filtering of file and folder names lead to various XSS attack vectors in the media manager.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

Read more

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.1.2 through 3.8.7
  • Exploit type: XSS
  • Reported Date: 2018-March-30
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11328

Description

Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in a XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.1.2 through 3.8.7

Solution

Upgrade to version 3.8.8

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

Read more

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.5.0 through 3.8.5
  • Exploit type: SQLi
  • Reported Date: 2018-March-08
  • Fixed Date: 2018-March-12
  • CVE Number: CVE-2018-8045

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view

Affected Installs

Joomla! CMS versions 3.5.0 through 3.8.5

Solution

Upgrade to version 3.8.6

Contact

The JSST at the Joomla! Security Centre.

Reported By: Entropy Moe

Read more

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Medium
  • Severity: Low
  • Versions: 3.0.0 through 3.8.7
  • Exploit type: Session race condition
  • Reported Date: 2017-July-08
  • Fixed Date: 2018-May-22
  • CVE Number: CVE-2018-11324

Description

A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.7

Solution

Upgrade to version 3.8.8

Additional Resources

  • Links Go Here

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST

Read more

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: SQLi
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6376

Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Karim Ouerghemmi, ripstech.com

Read more