Newsfeeds
Security Announcements


  • [20210402] - Core - Inadequate filters on module layout settings
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.0.0 - 3.9.25
    • Exploit type: LFI
    • Reported Date: 2021-01-03
    • Fixed Date: 2021-04-13
    • CVE Number: CVE-2021-26031

    Description

    Inadequate filters on module layout settings could lead to an LFI.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.25

    Solution

    Upgrade to version 3.9.26

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Lee Thao from Viettel Cyber Security


  • [20210401] - Core - Escape xss in logo parameter error pages
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.0.0 - 3.9.25
    • Exploit type: XSS
    • Reported Date: 2021-03-09
    • Fixed Date: 2021-04-13
    • CVE Number: CVE-2021-26030

    Description

    Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.25

    Solution

    Upgrade to version 3.9.26

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: HOANG NGUYEN


  • [20210307] - Core - ACL violation within com_content frontend editing
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 3.0.0 - 3.9.24
    • Exploit type: ACL violation
    • Reported Date: 2020-10-25
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-26027

    Description

    Incorrect ACL checks could allow unauthorized change of the category for an article.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Brian Teeman, George Wilson (JSST), David Jardin (JSST)


  • [20210306] - Core - com_media allowed paths that are not intended for image uploads
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 3.0.0 - 3.9.24
    • Exploit type: Improper Input Validation
    • Reported Date: 2020-02-17
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-23132

    Description

    com_media allowed paths that are not intended for image uploads.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC


  • [20210305] - Core - Input validation within the template manager
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.2.0 - 3.9.24
    • Exploit type: Improper Input Validation
    • Reported Date: 2020-05-07
    • Fixed Date: 2021-03-02
    • CVE Number: CVE-2021-23131

    Description

    Missing input validation within the template manager.

    Affected Installs

    Joomla! CMS versions 3.2.0 - 3.9.24

    Solution

    Upgrade to version 3.9.25

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Bui Duc Anh Khoa from Viettel Cyber Security