Joomla Security Notice :: June 27, 2018

Started by Jason, June 27, 2018, 05:58:04 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
________________________________________
[20180602] - Core - XSS vulnerability in language switcher module
Posted: 26 Jun 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Low
  -  Severity: Low
  -  Versions: 1.6.0 through 3.8.8
  -  Exploit type: XSS
  -  Reported Date: 2018-May-07
  -  Fixed Date: 2018-June-26
  -  CVE Number: CVE-2018-12711
Description
In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url.
Affected Installs
Joomla! CMS versions 1.6.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.
Reported By: Borja Lorenzo, Innotecsystem
 

[20180601] - Core - Local File Inclusion with PHP 5.3
Posted: 26 Jun 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Low
  -  Severity: Low
  -  Versions: 2.5.0 through 3.8.8
  -  Exploit type: LFI
  -  Reported Date: 2018-April-23
  -  Fixed Date: 2018-June-26
  -  CVE Number: CVE-2018-12712
Description
Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.
Reported By: Davide Tampellini