Joomla Security Notice :: July 15, 2020

Started by Jason, July 15, 2020, 01:53:12 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•   [20200706] - Core - System Information screen could expose redis or proxy credentials
•   [20200705] - Core - Escape mod_random_image link
•   [20200704] - Core - Variable tampering via user table class
•   [20200703] - Core - CSRF in com_privacy remove-request feature
•   [20200702] - Core - Missing checks can lead to a broken usergroups table record
•   [20200701] - Core - CSRF in com_installer ajax_install endpoint
[20200706] - Core - System Information screen could expose redis or proxy credentials
Posted: 14 Jul 2020 06:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.0.0-3.9.19
> Exploit type: Information Disclosure
> Reported Date: 2020-Jun-17
> Fixed Date: 2020-July-14
> CVE Number: CVE-2020-15698
Description
Inadequate filtering in the system information screen could expose redis or proxy credentials
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
 
 

[20200705] - Core - Escape mod_random_image link
Posted: 14 Jul 2020 06:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.0.0-3.9.19
> Exploit type: XSS
> Reported Date: 2020-Jun-08
> Fixed Date: 2020-July-14
> CVE Number: CVE-2020-15696
Description
Lack of input filtering and escaping allows XSS attacks in mod_random_image
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
 
 

[20200704] - Core - Variable tampering via user table class
Posted: 14 Jul 2020 06:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.0.0-3.9.19
> Exploit type: Incorrect Access Control
> Reported Date: 2020-Jun-02
> Fixed Date: 2020-July-14
> CVE Number: CVE-2020-15697
Description
Internal read-only fields in the User table class could be modified by users.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
 
 

[20200703] - Core - CSRF in com_privacy remove-request feature
Posted: 14 Jul 2020 06:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.9.0-3.9.19
> Exploit type: CSRF
> Reported Date: 2020-May-07
> Fixed Date: 2020-July-14
> CVE Number: CVE-2020-15695
Description
A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Bui Duc Anh Khoa from Viettel Cyber Security
 
 

[20200702] - Core - Missing checks can lead to a broken usergroups table record
Posted: 14 Jul 2020 06:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions: 2.5.0-3.9.19
> Exploit type: Incorrect Access Control
> Reported Date: 2020-April-04
> Fixed Date: 2020-July-14
> CVE Number: CVE-2020-15699
Description
Missing validation checks at the usergroups table object can result into an broken site configuration.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Hoang Kien from VSEC
 
 

[20200701] - Core - CSRF in com_installer ajax_install endpoint
Posted: 14 Jul 2020 06:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.7.0-3.9.19
> Exploit type: CSRF
> Reported Date: 2020-May-07
> Fixed Date: 2020-July-14
> CVE Number: CVE-2020-XXXXX
Description
A missing token check in the ajax_install endpoint com_installer causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.7.0 - 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Bui Duc Anh Khoa from Viettel Cyber Security