Log in

Security Announcements

 Vestibulum dapibus, mauris nec malesuada fames ac turpis velit, rhoncus eu, luctus et interdum adipiscing wisi. Aliquam erat ac ipsum. Integer aliquam purus. Quisque lorem tortor fringilla sed, vestibulum id, eleifend justo vel bibendum sapien massa ac turpis faucibus orci luctus non, consectetuer lobortis quis, varius in, purus. 

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 3.9.0-3.9.14
    • Exploit type: XSS
    • Reported Date: 2019-December-25
    • Fixed Date: 2020-January-28
    • CVE Number: CVE-2020-8421

    Description

    Inadequate escaping of usernames allow XSS attacks in com_actionlogs.

    Affected Installs

    Joomla! CMS versions 3.9.0 - 3.9.14

    Solution

    Upgrade to version 3.9.15

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Mayank Kumbhar from Techjoomla
    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 3.0.0-3.9.14
    • Exploit type: CSRF
    • Reported Date: 2019-December-18
    • Fixed Date: 2020-January-28
    • CVE Number: CVE-2020-8420

    Description

    A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.14

    Solution

    Upgrade to version 3.9.15

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Lee Thao from Viettel Cyber Security
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 3.0.0-3.9.14
    • Exploit type: CSRF
    • Reported Date: 2019-December-23
    • Fixed Date: 2020-January-28
    • CVE Number: CVE-2020-8419

    Description

    Missing token checks in the batch actions of various components causes CSRF vulnerabilities.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.14

    Solution

    Upgrade to version 3.9.15

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Lee Thao from Viettel Cyber Security
    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 2.5.0 - 3.9.13
    • Exploit type: SQL injection
    • Reported Date: 2019-December-01
    • Fixed Date: 2019-December-17
    • CVE Number: CVE-2019-19846

    Description

    The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.

    Affected Installs

    Joomla! CMS versions 2.5.0 - 3.9.13

    Solution

    Upgrade to version 3.9.14

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: ka1n4t
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.8.0 - 3.9.13
    • Exploit type: Path Disclosure
    • Reported Date: 2019-November-22
    • Fixed Date: 2019-December-17
    • CVE Number: CVE-2019-19845

    Description

    Missing access check in framework files could lead to a path disclosure.

    Affected Installs

    Joomla! CMS versions 3.8.0 - 3.9.13

    Solution

    Upgrade to version 3.9.14

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Lee Thao, Viettel Cyber Security

Log in or Sign up