Joomla Security Notice :: April 12, 2019

Started by Jason, April 12, 2019, 10:29:51 am

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•    [20190403] - Core - Object.prototype pollution in JQuery $.extend
•    [20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users
•    [20190401] - Core - Directory Traversal in com_media
[20190403] - Core - Object.prototype pollution in JQuery $.extend
Posted: 09 Apr 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Moderate
> Versions: 3.0.0 through 3.9.4
> Exploit type: XSS
> Reported Date: 2019-March-25
> Fixed Date: 2019-April-09
> CVE Number: TBA
Description
The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.9.4
Solution
Upgrade to version 3.9.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: Michał Gołębiowski-Owczarek, David Jardin (JSST)
 
 

[20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users
Posted: 09 Apr 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: High
> Versions: 3.2.0 through 3.9.4
> Exploit type: ACL Violation
> Reported Date: 2019-March-13
> Fixed Date: 2019-April-08
> CVE Number: CVE-2019-10946
Description
The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.4
Solution
Upgrade to version 3.9.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle (JSST)
 
 

[20190401] - Core - Directory Traversal in com_media
Posted: 09 Apr 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions: 1.5.0 through 3.9.4
> Exploit type: Directory Traversal
> Reported Date: 2019-March-13
> Fixed Date: 2019-April-08
> CVE Number: CVE-2019-10945
Description
The Media Manager component does not properly sanitise the folder parameter, allowing attackers to act outside the media manager root directory.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.9.4
Solution
Upgrade to version 3.9.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: Haboob Research Team