Joomla! - SITE - Advanced Web Factories

[20191001] - Core - CSRF in com_template overrides view

Security Announcements Nov 5, 2019 | 14:00 pm

Project: Joomla!SubProject: CMSImpact: HighSeverity: LowVersions: 3.2.0-3.9.12Exploit type: CSRFReported Date: 2019-October-10Fixed Date: 2019-November-05CVE Number: CVE-2019-18650DescriptionA missing token check in com_template causes a CSRF vulnerability.Affected InstallsJoomla! CMS versions 3.2.0 - 3.9.12SolutionUpgrade to version 3.9.13ContactThe JSST at the Joomla! Security Centre.Reported By: Lee[…]

[20190901] - Core - XSS in logo parameter of default templates

Security Announcements Sep 24, 2019 | 15:00 pm

Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 3.0.0-3.9.11Exploit type: XSSReported Date: 2019-August-28Fixed Date: 2019-September-24CVE Number: CVE-2019-16725DescriptionInadequate escaping allowed XSS attacks using the logo parameter of the default templates.Affected InstallsJoomla! CMS versions 3.0.0 - 3.9.11SolutionUpgrade to version 3.9.12ContactThe JSST at the Joomla! Security[…]

[20190801] - Core - Hardening com_contact contact form

Security Announcements Aug 13, 2019 | 15:00 pm

Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 1.6.2 - 3.9.10Exploit type: Incorrect Access ControlReported Date: 2019-April-09Fixed Date: 2019-August-13CVE Number: CVE-2019-15028DescriptionInadequate checks in com_contact could allowed mail submission in disabled forms.Affected InstallsJoomla! CMS versions 1.6.2 - 3.9.10SolutionUpgrade to version 3.9.11ContactThe JSST at the[…]

[20190701] - Core - Filter attribute in subform fields allows remote code execution

Security Announcements Jul 9, 2019 | 15:00 pm

Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 3.9.7 - 3.9.8Exploit type: Remote Code ExecutionReported Date: 2019-June-20Fixed Date: 2019-July-09CVE Number: CVE-2019-14654DescriptionInadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.Affected InstallsJoomla! CMS versions 3.9.7[…]

[20190601] - Core - CSV injection in com_actionlogs

Security Announcements Jun 11, 2019 | 02:00 am

Project: Joomla!SubProject: CMSImpact: LowSeverity: LowVersions: 3.9.0 through 3.9.6Exploit type: CSV InjectionReported Date: 2019-April-29Fixed Date: 2019-June-11CVE Number: CVE-2019-12765DescriptionThe CSV export of com_actionslogs is vulnerable to CSV injection.Affected InstallsJoomla! CMS versions 3.9.0 through 3.9.6SolutionUpgrade to version 3.9.7ContactThe JSST at the Joomla! Security[…]

[20190502] - Core - By-passing protection of Phar Stream Wrapper Interceptor

Security Announcements May 8, 2019 | 02:00 am

Project: Joomla!SubProject: CMSImpact: LowSeverity: LowVersions: 3.9.3 through 3.9.5Exploit type: Object InjectionReported Date: 2019-March-27Fixed Date: 2019-May-07DescriptionIn Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core. In order[…]

[20190501] - Core - XSS in com_users ACL debug views

Security Announcements May 7, 2019 | 17:00 pm

Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 1.7.0 through 3.9.5Exploit type: XSSReported Date: 2019-April-29Fixed Date: 2019-May-07CVE Number: CVE-2019-11809DescriptionThe debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.Affected InstallsJoomla! CMS versions 1.7.0 through[…]