Joomla Security Notice :: January 31, 2018

Started by Jason, February 03, 2018, 04:32:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•    [20180104] - Core - SQLi vulnerability in Hathor postinstall message
•    [20180103] - Core - XSS vulnerability in Uri class
•    [20180102] - Core - XSS vulnerability in com_fields
•    [20180101] - Core - XSS vulnerability in module chromes
[20180104] - Core - SQLi vulnerability in Hathor postinstall message
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: High
-  Severity: Low
-  Versions: 3.7.0 through 3.8.3
-  Exploit type: SQLi
-  Reported Date: 2017-November-17
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6376
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Karim Ouerghemmi, ripstech.com
 
 

[20180103] - Core - XSS vulnerability in Uri class
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: Moderate
-  Severity: Low
-  Versions: 1.5.0 through 3.8.3
-  Exploit type: XSS
-  Reported Date: 2017-November-17
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6379
Description
Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Octavian Cinciu
 
 

[20180102] - Core - XSS vulnerability in com_fields
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: Moderate
-  Severity: Low
-  Versions: 3.7.0 through 3.8.3
-  Exploit type: XSS
-  Reported Date: 2018-January-20
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6377
Description
Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle, JSST
 
 

[20180101] - Core - XSS vulnerability in module chromes
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: Moderate
-  Severity: Low
-  Versions: 3.0.0 through 3.8.3
-  Exploit type: XSS
-  Reported Date: 2018-January-21
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6380
Description
Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: David Jardin, JSST