Joomla! Security News

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Moderate
    • Severity: High
    • Versions: 3.8.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-February-28
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9713

    Description

    The sample data plugins lack ACL checks, allowing unauthorized access.

    Affected Installs

    Joomla! CMS versions 3.8.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Sven Hurt, Benjamin Trenkle
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.0.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-February-25
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9714

    Description

    The media form field lacks escaping, leading to a XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Fouad Maakor
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.0.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-February-25
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9711

    Description

    The item_title layout in edit views lacks escaping, leading to a XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Fouad Maakor
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 3.2.0 through 3.9.3
    • Exploit type: XSS
    • Reported Date: 2019-March-04
    • Fixed Date: 2019-March-12
    • CVE Number: CVE-2019-9712

    Description

    The JSON handler in com_config lacks input validation, leading to XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.9.3

    Solution

    Upgrade to version 3.9.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Mario Korth, Hackmanit
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: Object Injection
    • Reported Date: 2019-January-18
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7743

    Description

    The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:David Jardin (JSST)

Announcements

1. September 19th, Lead Teacher Fellowship

2. September 20th-21st, Specialists Training

3. September 23rd, Project LIFT Screening

4. September 26th, NorthWest Prinipal/Lead Teacher Training

5. September 28th-29th, Data Workshop: PDOE Report Card Template

Latest News

© 2017 Pohnpei DOE. All Rights Reserved.