Text only | Text with Images

Charlottezweb

General Conversation => Script Chat => Topic started by: Jason on January 13, 2021, 09:14:48 AM

Title: Joomla Security Notice :: January 13, 2021
Post by: Jason on January 13, 2021, 09:14:48 AM
oomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•   [20210103] - Core - XSS in com_tags image parameters
•   [20210102] - Core - XSS in mod_breadcrumbs aria-label attribute
•   [20210101] - Core - com_modules exposes module names
[20210103] - Core - XSS in com_tags image parameters
Posted: 11 Jan 2021 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions:3.1.0 - 3.9.23
> Exploit type: XSS
> Reported Date: 2020-09-01
> Fixed Date: 2021-01-12
> CVE Number: CVE-2021-23125
Description
Lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.
Affected Installs
Joomla! CMS versions 3.1.0 - 3.9.23
Solution
Upgrade to version 3.9.24
Contact
The JSST at the Joomla! Security Centre.
Reported By: Šarūnas Paulauskas
 
 

[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute
Posted: 11 Jan 2021 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions:3.9.0 - 3.9.23
> Exploit type: XSS
> Reported Date: 2020-09-01
> Fixed Date: 2021-01-12
> CVE Number: CVE-2021-23124
Description
Lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.23
Solution
Upgrade to version 3.9.24
Contact
The JSST at the Joomla! Security Centre.
Reported By: Šarūnas Paulauskas
 
 

[20210101] - Core - com_modules exposes module names
Posted: 11 Jan 2021 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions:3.0.0 - 3.9.23
> Exploit type: Incorrect Access Control
> Reported Date: 2020-07-07
> Fixed Date: 2021-01-12
> CVE Number: CVE-2021-23123
Description
Lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.23
Solution
Upgrade to version 3.9.24
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
Text only | Text with Images