See other templatesSee other templates

Joomla! Security News

  1. [20200403] - Core - Incorrect access control in com_users access level deletion function

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 2.5.0 - 3.9.16
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-March-13
    • Fixed Date: 2020-April-21
    • CVE Number: CVE-2020-11889

    Description

    Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

    Affected Installs

    Joomla! CMS versions 2.5.0 - 3.9.16

    Solution

    Upgrade to version 3.9.17

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC
  2. [20200402] - Core - Missing checks for the root usergroup in usergroup table

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 2.5.0 - 3.9.16
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-February-27
    • Fixed Date: 2020-April-21
    • CVE Number: CVE-2020-11890

    Description

    Inproper input validations in the usergroup table class could lead to a broken ACL configuration.

    Affected Installs

    Joomla! CMS versions 2.5.0 - 3.9.16

    Solution

    Upgrade to version 3.9.17

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC
  3. [20200401] - Core - Incorrect access control in com_users access level editing function

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.8.8 - 3.9.16
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-March-13
    • Fixed Date: 2020-April-21
    • CVE Number: CVE-2020-11891

    Description

    Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.

    Affected Installs

    Joomla! CMS versions 3.8.8 - 3.9.16

    Solution

    Upgrade to version 3.9.17

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC
  4. [20200306] - Core - SQL injection in Featured Articles menu parameters

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 1.7.0-3.9.15
    • Exploit type: SQL Injection
    • Reported Date: 2020-March-9
    • Fixed Date: 2020-March-10
    • CVE Number: CVE-2020-10243

    Description

    The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.

    Affected Installs

    Joomla! CMS versions 1.7.0 - 3.9.15

    Solution

    Upgrade to version 3.9.16

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Sam Thomas, Pentest.co.uk
  5. [20200304] - Core - Identifier collisions in com_users

    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 3.0.0-3.9.15
    • Exploit type: Other
    • Reported Date: 2020-February-07
    • Fixed Date: 2020-March-10
    • CVE Number: CVE-2020-10240

    Description

    Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

    Affected Installs

    Joomla! CMS versions 3.0.0 - 3.9.15

    Solution

    Upgrade to version 3.9.16

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Lee Thao from Viettel Cyber Security
Go to top