Joomla Security Centre

Subscribe to Kanał Joomla Security Centre
Zaktualizowano: 36 minut 15 sekund temu

[20180301] - Core - SQLi vulnerability User Notes

wt., 13/03/2018 - 14:45
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.5.0 through 3.8.5
  • Exploit type: SQLi
  • Reported Date: 2018-March-08
  • Fixed Date: 2018-March-12
  • CVE Number: CVE-2018-8045
Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view

Affected Installs

Joomla! CMS versions 3.5.0 through 3.8.5

Solution

Upgrade to version 3.8.6

Contact

The JSST at the Joomla! Security Centre.

Reported By: Entropy Moe

[20180104] - Core - SQLi vulnerability in Hathor postinstall message

wt., 30/01/2018 - 15:45
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: SQLi
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6376
Description

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Karim Ouerghemmi, ripstech.com

[20180103] - Core - XSS vulnerability in Uri class

wt., 30/01/2018 - 15:45
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 1.5.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2017-November-17
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6379
Description

Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Octavian Cinciu

[20180102] - Core - XSS vulnerability in com_fields

wt., 30/01/2018 - 15:45
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.7.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-20
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6377
Description

Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.

Affected Installs

Joomla! CMS versions 3.7.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Benjamin Trenkle, JSST

[20180101] - Core - XSS vulnerability in module chromes

wt., 30/01/2018 - 15:45
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 3.0.0 through 3.8.3
  • Exploit type: XSS
  • Reported Date: 2018-January-21
  • Fixed Date: 2018-January-30
  • CVE Number: CVE-2018-6380
Description

Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.8.3

Solution

Upgrade to version 3.8.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin, JSST