I received this via email yesterday:
For more info: http://developer.joomla.org/security.html
-------------
Quote
[20090603] - Core - Frontend XSS
Posted: 02 Jun 2009 10:56 PM PDT
Project: Joomla!
SubProject: Site client
Severity: Low
Versions: 1.5.10 and all previous 1.5 releases
Exploit type: XSS
Reported Date: 2009-May-05
Fixed Date: 2009-June-02
Description
Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel.
Affected Installs
All 1.5.x installs prior to and including 1.5.10 are affected.
Solution
Upgrade to latest Joomla! version (1.5.11 or newer).
Contact
The JSST at the Joomla! Security Center.
Quote
[20090602] - Core - ja_purity XSS
Posted: 02 Jun 2009 10:56 PM PDT
Project: Joomla!
SubProject: ja_purity
Severity: Moderate
Versions: 1.5.10 and all previous 1.5 releases
Exploit type: XSS
Reported Date: 2009-April-06
Fixed Date: 2009-June-02
Description
A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5.
Affected Installs
All 1.5.x installs prior to and including 1.5.10 are affected.
Solution
Upgrade to latest Joomla! version (1.5.11 or newer).
Quote
[20090601] - Core - com_users XSS
Posted: 02 Jun 2009 10:56 PM PDT
Project: Joomla!
SubProject: com_users
Severity: Moderate
Versions: 1.5.10 and all previous 1.5 releases
Exploit type: XSS
Reported Date: 2009-April-30
Fixed Date: 2009-June-02
Description
A XSS vulnerability exists in the user view of com_users in the administrator panel.
Affected Installs
All 1.5.x installs prior to and including 1.5.10 are affected.
Solution
Upgrade to latest Joomla! version (1.5.11 or newer).
Updated! Thanks for the heads up.
Joomla has emailed a few more times this week. Apparently this is fairly widespread. I'll post their message below and will consider emailing all clients a link.
----------------
These days the long awaited Joomla 1.5.11 release is out. There are several security issues that have been fixed and users are strongly advised to upgrade their websites.
Joomla versions 1.5.0 - 1.5.9 contain a lot of security vulnerabilities that are in any script-kiddies backpack, and it's just matter of time until they reach you.
Read on to get the news
Joomla 1.5.10 security release is out today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Upgrade now to Joomla 1.5.10
Saturday 28 March the Joomla core team released a security upgrade of Joomla 1.5 Users are strongly encouraged to upgrade as soon as possible.
You can upgrade with ease using the patches available for all major releases here
Please mind the following issues known with upgrades to Joomla 1.5.10:
1) Error Component Install: Could not copy PHP install file in 1.5.10
2) Feed email undefined error
3) Incorrect Install File
http://softmarket.ro/joomla-1.5.10-security-release-is-out-today.html
Does this affect 1.0.15? I havent upgraded to 1.5 since the software I use is not compatible with 1.5 yet.
I'm glad I removed Joomla for good. Thanks for the heads-up!! Charlottzweb ROCKS!
Quote from: marcobarrera on June 11, 2009, 12:45:42 PM
Does this affect 1.0.15? I havent upgraded to 1.5 since the software I use is not compatible with 1.5 yet.
Woah, when was that version released? I'd definitely recommend poking around their forums for information about that version and whatever software you're using with it. Often it's the addons that are the vulnernabilities moreso than joomla itself. The same often holds true for any platform (like SMF too).
But there's a good chance a version that old has a number of flaws.
Quote from: rebelsgirl on June 11, 2009, 03:17:05 PM
I'm glad I removed Joomla for good. Thanks for the heads-up!! Charlottzweb ROCKS!
I'm not saying to remove it necessarily. I think Joomla is a great piece of software. But like anything else out there, you just have to keep on top of new releases and security patches.