Joomla Security Notice :: December 18, 2019

[Jason]

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Joomla! Security News

________________________________________
[20191202] - Core - Various SQL injections through configuration parameters
Posted: 16 Dec 2019 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: High
> Severity: Low
> Versions: 2.5.0 - 3.9.13
> Exploit type: SQL injection
> Reported Date: 2019-December-01
> Fixed Date: 2019-December-17
> CVE Number: CVE-2019-19846

Description
The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
[20191201] - Core - Path Disclosure in framework files
Posted: 16 Dec 2019 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: Low
> Severity: Low
> Versions: 3.8.0 - 3.9.13
> Exploit type: Path Disclosure
> Reported Date: 2019-November-22
> Fixed Date: 2019-December-17
> CVE Number: CVE-2019-19845
Description
Missing access check in framework files could lead to a path disclosure.
Affected Installs
Joomla! CMS versions 3.8.0 - 3.9.13
Solution
Upgrade to version 3.9.14
Contact
The JSST at the Joomla! Security Centre.
Reported By: Lee Thao, Viettel Cyber Security