جملة! أخبار الأمن

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions:3.1.0 - 3.9.23
  • Exploit type: XSS
  • Reported Date: 2020-09-01
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23125

  Description

  Lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.

  Affected Installs

  Joomla! CMS versions 3.1.0 - 3.9.23

  Solution

  Upgrade to version 3.9.24

  Contact

  The JSST at the Joomla! Security Centre.

  Reported By:Šarūnas Paulauskas
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions:3.9.0 - 3.9.23
  • Exploit type: XSS
  • Reported Date: 2020-09-01
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23124

  Description

  Lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.

  Affected Installs

  Joomla! CMS versions 3.9.0 - 3.9.23

  Solution

  Upgrade to version 3.9.24

  Contact

  The JSST at the Joomla! Security Centre.

  Reported By:Šarūnas Paulauskas
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions:3.0.0 - 3.9.23
  • Exploit type: Incorrect Access Control
  • Reported Date: 2020-07-07
  • Fixed Date: 2021-01-12
  • CVE Number: CVE-2021-23123

  Description

  Lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.

  Affected Installs

  Joomla! CMS versions 3.0.0 - 3.9.23

  Solution

  Upgrade to version 3.9.24

  Contact

  The JSST at the Joomla! Security Centre.

  Reported By:Phil Taylor
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Versions:1.7.0 - 3.9.22
  • Exploit type: ACL Violation
  • Reported Date: 2018-11-04
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35616

  Description

  Lack of input validation while handling ACL rulesets can cause write ACL violations.

  Affected Installs

  Joomla! CMS versions 1.7.0 - 3.9.22

  Solution

  Upgrade to version 3.9.23

  Contact

  The JSST at the Joomla! Security Centre.

  Reported By:  Elisa Foltyn, Benjamin Trenkle
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.9.0-3.9.22
  • Exploit type: CSRF
  • Reported Date: 2020-10-08
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-35615

  Description

  A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

  Affected Installs

  Joomla! CMS versions 3.9.0 - 3.9.22

  Solution

  Upgrade to version 3.9.23

  Contact

  The JSST at the Joomla! Security Centre.

  Reported By:  Lee Thao from Viettel Cyber Security