Joomla! Security News

  1. [20250103] - Core - Read ACL violation in multiple core views

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
    • Exploit type: ACL Violation
    • Reported Date: 2024-08-26
    • Fixed Date: 2025-01-07
    • CVE Number: CVE-2024-40749

    Description

    Improper Access Controls allows access to protected views.

    Affected Installs

    Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

    Solution

    Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Dominik Ziegelmüller

  2. [20250201] - Core - SQL injection vulnerability in Scheduled Tasks component

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Probability: Low
    • Versions:4.1.0-4.4.10, 5.0.0-5.2.3
    • Exploit type: SQL Injection
    • Reported Date: 2024-12-10
    • Fixed Date: 2025-02-18
    • CVE Number: CVE-2025-22207

    Description

    Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.10, 5.1.0-5.2.3

    Solution

    Upgrade to version 4.4.11 or 5.2.4

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Calum Hutton, snyk.io

  3. [20250102] - Core - XSS vector in the id attribute of menu lists

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
    • Exploit type: XSS
    • Reported Date: 2024-09-19
    • Fixed Date: 2025-01-07
    • CVE Number: CVE-2024-40748

    Description

    Lack of output escaping in the id attribute of menu lists.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

    Solution

    Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Lokesh Dachepalli

  4. [20250101] - Core - XSS vectors in module chromes

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:4.0.0-4.4.9, 5.0.0-5.2.2
    • Exploit type: XSS
    • Reported Date: 2024-08-29
    • Fixed Date: 2025-01-07
    • CVE Number: CVE-2024-40747

    Description

    Various module chromes didn't properly process inputs, leading to XSS vectors.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2

    Solution

    Upgrade to version 4.4.10 or 5.2.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Catalin Iovita

  5. [20240805] - Core - XSS vectors in Outputfilter::strip* methods

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
    • Exploit type: XSS
    • Reported Date: 2024-07-22
    • Fixed Date: 2024-08-20
    • CVE Number: CVE-2024-40743

    Description

    The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

    Solution

    Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Jesper den Boer