Joomla Security Notice :: March 13, 2019

Started by Jason, March 14, 2019, 02:48:58 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•    [20190304] - Core - Missing ACL check in sample data plugins
•    [20190303] - Core - XSS in media form field
•    [20190302] - Core - XSS in item_title layout
•    [20190301] - Core - XSS in com_config JSON handler
[20190304] - Core - Missing ACL check in sample data plugins
Posted: 12 Mar 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: High
> Versions: 3.8.0 through 3.9.3
> Exploit type: XSS
> Reported Date: 2019-February-28
> Fixed Date: 2019-March-12
> CVE Number: CVE-2019-9713
Description
The sample data plugins lack ACL checks, allowing unauthorized access.
Affected Installs
Joomla! CMS versions 3.8.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Sven Hurt, Benjamin Trenkle
 
 

[20190303] - Core - XSS in media form field
Posted: 12 Mar 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.0.0 through 3.9.3
> Exploit type: XSS
> Reported Date: 2019-February-25
> Fixed Date: 2019-March-12
> CVE Number: CVE-2019-9714
Description
The media form field lacks escaping, leading to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fouad Maakor
 
 

[20190302] - Core - XSS in item_title layout
Posted: 12 Mar 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.0.0 through 3.9.3
> Exploit type: XSS
> Reported Date: 2019-February-25
> Fixed Date: 2019-March-12
> CVE Number: CVE-2019-9711
Description
The item_title layout in edit views lacks escaping, leading to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fouad Maakor
 
 

[20190301] - Core - XSS in com_config JSON handler
Posted: 12 Mar 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.2.0 through 3.9.3
> Exploit type: XSS
> Reported Date: 2019-March-04
> Fixed Date: 2019-March-12
> CVE Number: CVE-2019-9712
Description
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.3
Solution
Upgrade to version 3.9.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Mario Korth, Hackmanit