Charlottezweb

Joomla Security Notice :: April 12, 2019

Discussion started on Script Chat

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
Joomla! Security News

________________________________________
    [20190403] - Core - Object.prototype pollution in JQuery $.extend
    [20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users
    [20190401] - Core - Directory Traversal in com_media
[20190403] - Core - Object.prototype pollution in JQuery $.extend
Posted: 09 Apr 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Moderate
> Versions: 3.0.0 through 3.9.4
> Exploit type: XSS
> Reported Date: 2019-March-25
> Fixed Date: 2019-April-09
> CVE Number: TBA
Description
The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.9.4
Solution
Upgrade to version 3.9.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: Michał Gołębiowski-Owczarek, David Jardin (JSST)
 
 

[20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users
Posted: 09 Apr 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: High
> Versions: 3.2.0 through 3.9.4
> Exploit type: ACL Violation
> Reported Date: 2019-March-13
> Fixed Date: 2019-April-08
> CVE Number: CVE-2019-10946
Description
The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.9.4
Solution
Upgrade to version 3.9.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle (JSST)
 
 

[20190401] - Core - Directory Traversal in com_media
Posted: 09 Apr 2019 08:00 AM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions: 1.5.0 through 3.9.4
> Exploit type: Directory Traversal
> Reported Date: 2019-March-13
> Fixed Date: 2019-April-08
> CVE Number: CVE-2019-10945
Description
The Media Manager component does not properly sanitise the folder parameter, allowing attackers to act outside the media manager root directory.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.9.4
Solution
Upgrade to version 3.9.5
Contact
The JSST at the Joomla! Security Centre.
Reported By: Haboob Research Team
#1 - April 12, 2019, 10:29:51 AM

Members:

0 Members and 1 Guest are viewing this topic.