Category: Joomla Security

Joomla! Component NS Download Shop 2.2.6 – ‘id’ SQL Injection

Joomla! Component NS Download Shop 2.2.6 – ‘id’ SQL Injection


October 30, 2017 0

Joomla! Component Zh YandexMap 6.1.1.0 – ‘placemarklistid’ SQL Injection

Joomla! Component Zh YandexMap 6.1.1.0 – ‘placemarklistid’ SQL Injection


October 30, 2017 0

[20170901] – Core – Information Disclosure

Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 3.7.0 through 3.7.5
Exploit type: Information Disclosure
Reported Date: 2017-August-4
Fixed Date: 2017-September-19
CVE Number: CVE-2017-14595

Description
A logic bug in a SQL query could lead …


September 19, 2017 0

[20170902] – Core – LDAP Information Disclosure

Project: Joomla!
SubProject: CMS
Severity: Medium
Versions: 1.5.0 through 3.7.5
Exploit type: Information Disclosure
Reported Date: 2017-July-27
Fixed Date: 2017-September-19
CVE Number: CVE-2017-14596

Description
Inadequate escaping in the LDAP auth…


September 19, 2017 0

[20170704] – Core – Installer: Lack of Ownership Verification

  • Project: Joomla!
  • SubProject: CMS Installer
  • Severity: High
  • Versions: 1.0.0 through 3.7.3
  • Exploit type: Lack of Ownership Verification
  • Reported Date: 2017-Apr-06
  • Fixed Date: 2017-July-25
  • CVE Number: CVE-2017-11364

Description

The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.

Please note: Already installed sites are not affected, as this issue is limited to the installer application!

Affected Installs

Joomla! CMS versions 1.0.0 through 3.7.3

Solution

Upgrade to version 3.7.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hanno Böck


July 25, 2017 0

[20170705] – Core – XSS Vulnerability

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.5.0 through 3.7.3
  • Exploit type: XSS
  • Reported Date: 2017-April-26
  • Fixed Date: 2017-July-25
  • CVE Number: CVE-2017-11612

Description

Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.7.3

Solution

Upgrade to version 3.7.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Beat B, JSST


July 25, 2017 0

[20170703] – Core – XSS Vulnerability

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.5.0 through 3.6.5
  • Exploit type: XSS
  • Reported Date: 2017-June-22
  • Fixed Date: 2017-July-04
  • CVE Number: CVE-2017-7985

Description

Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.6.5

Solution

Upgrade to version 3.7.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Fortinet’s FortiGuard Labs


July 4, 2017 0

[20170701] – Core – Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 1.7.3 – 3.7.2
  • Exploit type: Information Disclosure
  • Reported Date: 2016-Feb-05
  • Fixed Date: 2017-July-04
  • CVE Number: CVE-2017-9933

Description

Improper cache invalidation leads to disclosure of form contents.

Affected Installs

Joomla! CMS versions 1.7.3-3.7.2

Solution

Upgrade to version 3.7.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Jeff Channell


July 4, 2017 0

[20170702] – Core – XSS Vulnerability

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 1.7.3 – 3.7.2
  • Exploit type: XSS
  • Reported Date: 2017-June-04
  • Fixed Date: 2017-July-04
  • CVE Number: CVE-2017-9934

Description

Missing CSRF token checks and improper input validation lead to an XSS vulnerability.

Affected Installs

Joomla! CMS versions 1.7.3-3.7.2

Solution

Upgrade to version 3.7.3

Contact

The JSST at the Joomla! Security Centre.

Reported By: Envo


July 4, 2017 0

[20170501] – Core – SQL Injection

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 3.7.0
  • Exploit type: SQL Injection
  • Reported Date: 2017-May-11
  • Fixed Date: 2017-May-17
  • CVE Number: CVE-2017-8917

Description

Inadequate filtering of request data leads to a SQL Injection vulnerability.

Affected Installs

Joomla! CMS versions 3.7.0

Solution

Upgrade to version 3.7.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Marc-Alexandre Montpas / sucuri.net


May 17, 2017 0