Joomla! Security News

  1. [20190206] - Core - Implement the TYPO3 PHAR stream wrapper

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: Object Injection
    • Reported Date: 2019-January-18
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7743

    Description

    The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:David Jardin (JSST)

  2. [20190205] - Core - XSS Issue in core.js writeDynaList

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: XSS
    • Reported Date: 2018-October-07
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7740

    Description

    Inadequate parameter handling in JS code could lead to an XSS attack vector.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Dimitris Grammatikogiannis

  3. [20190204] - Core - Stored XSS issue in the Global Configuration help url #2

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: XSS
    • Reported Date: 2019-January-16
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7741

    Description

    Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Antonin Steinhauser

  4. [20190203] - Core - Additional warning in the Global Configuration textfilter settings

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: XSS
    • Reported Date: 2019-January-17
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7739

    Description

    "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Raviraj Powar

  5. [20190202] - Core - Browserside mime-type sniffing causes XSS attack vectors

    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 1.0.0 through 3.9.2
    • Exploit type: XSS
    • Reported Date: 2018-September-24
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7742

    Description

    A combination of specific webserver configurations, in connection with specific file types and browserside mime-type sniffing causes a XSS attack vector.

    Affected Installs

    Joomla! CMS versions 1.0.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Hanno Böck

About Terminal Madness

Terminal Madness started out as a Computer Bulletin Board, ( BBS ) back in the early 90's. Fascinated that one could get all the information they ever wanted "on line", for FREE, the "BBS" was named Terminal Madness.

Now, about 22 years later, that fascination with computers and information continues.

From the USA, to the Dominican Republic, to Curacao and back to the USA.

© 2016 Terminal Madness. All Rights Reserved. Designed By Terminal Madness

Search