Security Announcements

  1. [20190104] - Core - Stored XSS issue in the Global Configuration help url
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.1
    • Exploit type: XSS
    • Reported Date: 2018-December-05
    • Fixed Date: 2019-January-15
    • CVE Number: CVE-2019-6262

    Description

    Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.1

    Solution

    Upgrade to version 3.9.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Mario Korth, Hackmanit
  2. [20190103] - Core - Stored XSS issue in the Global Configuration textfilter settings
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.1
    • Exploit type: XSS
    • Reported Date: 2018-November-29
    • Fixed Date: 2019-January-15
    • CVE Number: CVE-2019-6263

    Description

    Inadequate checks at the Global Configuration Text Filter settings allowed a stored XSS.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.1

    Solution

    Upgrade to version 3.9.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Sébastien Poirier
  3. [20190102] - Core - Stored XSS in com_contact
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.1
    • Exploit type: XSS
    • Reported Date: 2018-December-04
    • Fixed Date: 2019-January-15
    • CVE Number: CVE-2019-6261

    Description

    Inadequate escaping in com_contact leads to a stored XSS vulnerability

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.1

    Solution

    Upgrade to version 3.9.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Antonin Steinhauser
  4. [20190101] - Core - Stored XSS in mod_banners
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.1
    • Exploit type: XSS
    • Reported Date: 2018-December-01
    • Fixed Date: 2019-January-15
    • CVE Number: CVE-2019-6264

    Description

    Inadequate escaping in mod_banners leads to a stored XSS vulnerability.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.1

    Solution

    Upgrade to version 3.9.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Antonin Steinhauser
  5. [20181005] - Core - CSRF hardening in com_installer
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 2.5.0 through 3.8.12
    • Exploit type: CSRF
    • Reported Date: 2018-September-26
    • Fixed Date: 2018-October-02
    • CVE Number: CVE-2018-17858

    Description

    Added additional CSRF hardening in com_installer actions in the backend.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.8.12

    Solution

    Upgrade to version 3.8.13

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Raviraj A. Powar