Joomla Security Notice :: June 12, 2019

Started by Jason, June 13, 2019, 08:29:06 pm

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•   [20190603] - Core - ACL hardening of com_joomlaupdate
•   [20190602] - Core - XSS in subform field
•   [20190601] - Core - CSV injection in com_actionlogs
[20190603] - Core - ACL hardening of com_joomlaupdate
Posted: 10 Jun 2019 05:00 PM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.8.13 through 3.9.6
> Exploit type: Incorrect Access Control
> Reported Date: 2019-April-10
> Fixed Date: 2019-June-11
> CVE Number: CVE-2019-12764
Description
The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
Affected Installs
Joomla! CMS versions 3.8.13 through 3.9.6
Solution
Upgrade to version 3.9.7
Contact
The JSST at the Joomla! Security Centre.
 
 
 

[20190602] - Core - XSS in subform field
Posted: 10 Jun 2019 05:00 PM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions: 3.6.0 through 3.9.6
> Exploit type: XSS
> Reported Date: 2019-January-01
> Fixed Date: 2019-June-11
> CVE Number: CVE-2019-12766
Description
The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors.
Affected Installs
Joomla! CMS versions 3.6.0 through 3.9.6
Solution
Upgrade to version 3.9.7
Contact
The JSST at the Joomla! Security Centre.
Reported By: Volkmar Schlothauer, ghsvs.de
 
 

[20190601] - Core - CSV injection in com_actionlogs
Posted: 10 Jun 2019 05:00 PM PDT
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.9.0 through 3.9.6
> Exploit type: CSV Injection
> Reported Date: 2019-April-29
> Fixed Date: 2019-June-11
> CVE Number: CVE-2019-12765
Description
The CSV export of com_actionslogs is vulnerable to CSV injection.
Affected Installs
Joomla! CMS versions 3.9.0 through 3.9.6
Solution
Upgrade to version 3.9.7
Contact
The JSST at the Joomla! Security Centre.
Reported By: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)