Joomla! Security News

  1. [20240205] - Core - Inadequate content filtering within the filter code

    • Project: Joomla! / Joomla! Framework
    • SubProject: CMS / filter
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Moderate
    • Versions: 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: XSS
    • Reported Date: 2023-11-22
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21726

    Description

    Inadequate content filtering leads to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

  2. [20240204] - Core - XSS in mail address outputs

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: High
    • Probability: High
    • Versions: 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: XSS
    • Reported Date: 2024-01-30
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21725

    Description

    Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

  3. [20240203] - Core - XSS in media selection fields

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Moderate
    • Versions: 1.6.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: XSS
    • Reported Date: 2024-01-09
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21724

    Description

    Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

    Affected Installs

    Joomla! CMS versions 1.6.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

  4. [20240202] - Core - Open redirect in installation application

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions: 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: Open Redirect
    • Reported Date: 2023-11-08
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21723

    Description

    Inadequate parsing of URLs could result into an open redirect.

    Affected Installs

    Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.

  5. [20240201] - Core - Insufficient session expiration in MFA management views

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions: 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2
    • Exploit type: Insufficient Session Expiration
    • Reported Date: 2023-11-29
    • Fixed Date: 2024-02-20
    • CVE Number: CVE-2024-21722

    Description

    The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

    Affected Installs

    Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2

    Solution

    Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3

    Contact

    The JSST at the Joomla! Security Centre.