Joomla Security Notice :: January 29, 2020

Started by Jason, January 29, 2020, 05:20:13 pm

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

QuoteJoomla! Security News

________________________________________
•   [20200103] - Core - XSS in com_actionlogs
•   [20200102] - Core - CSRF com_templates LESS compiler
•   [20200101] - Core - CSRF in batch actions
[20200103] - Core - XSS in com_actionlogs
Posted: 28 Jan 2020 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: High
> Severity: Low
> Versions: 3.9.0-3.9.14
> Exploit type: XSS
> Reported Date: 2019-December-25
> Fixed Date: 2020-January-28
> CVE Number: CVE-2020-8421
Description
Inadequate escaping of usernames allow XSS attacks in com_actionlogs.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.14
Solution
Upgrade to version 3.9.15
Contact
The JSST at the Joomla! Security Centre.
Reported By: Mayank Kumbhar from Techjoomla
 
 

[20200102] - Core - CSRF com_templates LESS compiler
Posted: 28 Jan 2020 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: High
> Severity: Low
> Versions: 3.0.0-3.9.14
> Exploit type: CSRF
> Reported Date: 2019-December-18
> Fixed Date: 2020-January-28
> CVE Number: CVE-2020-8420
Description
A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.14
Solution
Upgrade to version 3.9.15
Contact
The JSST at the Joomla! Security Centre.
Reported By: Lee Thao from Viettel Cyber Security
 
 

[20200101] - Core - CSRF in batch actions
Posted: 28 Jan 2020 05:00 AM PST
> Project: Joomla!
> SubProject: CMS
> Impact: Moderate
> Severity: Low
> Versions: 3.0.0-3.9.14
> Exploit type: CSRF
> Reported Date: 2019-December-23
> Fixed Date: 2020-January-28
> CVE Number: CVE-2020-8419
Description
Missing token checks in the batch actions of various components causes CSRF vulnerabilities.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.14
Solution
Upgrade to version 3.9.15
Contact
The JSST at the Joomla! Security Centre.
Reported By: Lee Thao from Viettel Cyber Security