Joomla has emailed a security announcement. If you use Joomla for your site, please check your version and upgrade accordingly.
The announcement is available on their site here:
https://developer.joomla.org/security-centre.html (https://developer.joomla.org/security-centre.html)
Quote
________________________________________
[20180602] - Core - XSS vulnerability in language switcher module
Posted: 26 Jun 2018 06:30 AM PDT
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 1.6.0 through 3.8.8
- Exploit type: XSS
- Reported Date: 2018-May-07
- Fixed Date: 2018-June-26
- CVE Number: CVE-2018-12711
Description
In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url.
Affected Installs
Joomla! CMS versions 1.6.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.
Reported By: Borja Lorenzo, Innotecsystem
[20180601] - Core - Local File Inclusion with PHP 5.3
Posted: 26 Jun 2018 06:30 AM PDT
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0 through 3.8.8
- Exploit type: LFI
- Reported Date: 2018-April-23
- Fixed Date: 2018-June-26
- CVE Number: CVE-2018-12712
Description
Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.8
Solution
Upgrade to version 3.8.9
Contact
The JSST at the Joomla! Security Centre.
Reported By: Davide Tampellini