Security Announcements

  1. [20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 1.6.0 - 3.9.24
    • Exploit type: ACL Violation
    • Reported Date: 2021-01-31
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-26029

    Description

    Inadequate filtering of form contents could allow to overwrite the author field. The affected core components are com_fields, com_categories, com_banners, com_contact, com_newsfeeds and com_tags. 

    Affected Installs

    Joomla! CMS versions 1.6.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: DangKhai from Viettel Cyber Security
  2. [20210307] - Core - ACL violation within com_content frontend editing
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 3.0.0 - 3.9.24
    • Exploit type: ACL violation
    • Reported Date: 2020-10-25
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-26027

    Description

    Incorrect ACL checks could allow unauthorized change of the category for an article.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Brian Teeman, George Wilson (JSST), David Jardin (JSST)
  3. [20210306] - Core - com_media allowed paths that are not intended for image uploads
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 3.0.0 - 3.9.24
    • Exploit type: Improper Input Validation
    • Reported Date: 2020-02-17
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-23132

    Description

    com_media allowed paths that are not intended for image uploads.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC
  4. [20210305] - Core - Input validation within the template manager
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.2.0 - 3.9.24
    • Exploit type: Improper Input Validation
    • Reported Date: 2020-05-07
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-23131

    Description

    Missing input validation within the template manager.

    Affected Installs

    Joomla! CMS versions 3.2.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Bui Duc Anh Khoa from Viettel Cyber Security
  5. [20210304] - Core - XSS within the feed parser library
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 2.5.0 - 3.9.24
    • Exploit type: XSS
    • Reported Date: 2020-05-05
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-23130

    Description

    Missing filtering of feed fields could lead to xss issues.

    Affected Installs

    Joomla! CMS versions 2.5.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Bui Duc Anh Khoa from Viettel Cyber Security