Joomla Update Blog

Most if not all issues with Joomla installations have to do with not timely update your Joomla version, below you will find the standard Security RSS feed of Joomla; these are only the updates you may need for the CORE of the software, not for any additional plugins you may have installed. It is important to always check your CORE Joomla files but do not forget your added components or plugins. Also always remove any unused components, themes or plugins for any installation (Joomla or any other software product).

\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 3.2.0 through 3.9.3\r\nExploit type: XSS\r\nReported Date: 2019-March-04\r\nFixed Date: 2019-March-12\r\nCVE Number: CVE-2019-9712\r\n\r\nDescription\r\nThe JSON handler in com_config lacks input validation, leading to XSS vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 3.2.0 through 3.9.3\r\nSolution\r\nUpgrade to version 3.9.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Mario Korth, Hackmanit
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 3.0.0 through 3.9.3\r\nExploit type: XSS\r\nReported Date: 2019-February-25\r\nFixed Date: 2019-March-12\r\nCVE Number: CVE-2019-9711\r\n\r\nDescription\r\nThe item_title layout in edit views lacks escaping, leading to a XSS vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 3.2.0 through 3.9.3\r\nSolution\r\nUpgrade to version 3.9.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Fouad Maakor
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 3.0.0 through 3.9.3\r\nExploit type: XSS\r\nReported Date: 2019-February-25\r\nFixed Date: 2019-March-12\r\nCVE Number: CVE-2019-9714\r\n\r\nDescription\r\nThe media form field lacks escaping, leading to a XSS vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 3.2.0 through 3.9.3\r\nSolution\r\nUpgrade to version 3.9.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Fouad Maakor
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Moderate\r\nSeverity: High\r\nVersions: 3.8.0 through 3.9.3\r\nExploit type: XSS\r\nReported Date: 2019-February-28\r\nFixed Date: 2019-March-12\r\nCVE Number: CVE-2019-9713\r\n\r\nDescription\r\nThe sample data plugins lack ACL checks, allowing unauthorized access.\r\nAffected Installs\r\nJoomla! CMS versions 3.8.0 through 3.9.3\r\nSolution\r\nUpgrade to version 3.9.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Sven Hurt, Benjamin Trenkle
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 2.5.0 through 3.9.2\r\nExploit type: Object Injection\r\nReported Date: 2019-January-18\r\nFixed Date: 2019-February-12\r\nCVE Number: CVE-2019-7743\r\n\r\nDescription\r\nThe phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.\r\nAffected Installs\r\nJoomla! CMS versions 2.5.0 through 3.9.2\r\nSolution\r\nUpgrade to version 3.9.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: David Jardin (JSST)
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 2.5.0 through 3.9.2\r\nExploit type: XSS\r\nReported Date: 2018-October-07\r\nFixed Date: 2019-February-12\r\nCVE Number: CVE-2019-7740\r\n\r\nDescription\r\nInadequate parameter handling in JS code could lead to an XSS attack vector.\r\nAffected Installs\r\nJoomla! CMS versions 2.5.0 through 3.9.2\r\nSolution\r\nUpgrade to version 3.9.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Dimitris Grammatikogiannis
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 2.5.0 through 3.9.2\r\nExploit type: XSS\r\nReported Date: 2019-January-16\r\nFixed Date: 2019-February-12\r\nCVE Number: CVE-2019-7741\r\n\r\nDescription\r\nInadequate checks at the Global Configuration helpurl settings allowed a stored XSS.\r\nAffected Installs\r\nJoomla! CMS versions 2.5.0 through 3.9.2\r\nSolution\r\nUpgrade to version 3.9.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Antonin Steinhauser
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 2.5.0 through 3.9.2\r\nExploit type: XSS\r\nReported Date: 2019-January-17\r\nFixed Date: 2019-February-12\r\nCVE Number: CVE-2019-7739\r\n\r\nDescription\r\n\"No Filtering\" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog.\r\nAffected Installs\r\nJoomla! CMS versions 2.5.0 through 3.9.2\r\nSolution\r\nUpgrade to version 3.9.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Raviraj Powar
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 1.0.0 through 3.9.2\r\nExploit type: XSS\r\nReported Date: 2018-September-24\r\nFixed Date: 2019-February-12\r\nCVE Number: CVE-2019-7742\r\n\r\nDescription\r\nA combination of specific webserver configurations, in connection with specific file types and browserside mime-type sniffing causes a XSS attack vector.\r\nAffected Installs\r\nJoomla! CMS versions 1.0.0 through 3.9.2\r\nSolution\r\nUpgrade to version 3.9.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Hanno Böck
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Low\r\nSeverity: Low\r\nVersions: 2.5.0 through 3.9.2\r\nExploit type: XSS\r\nReported Date: 2018-November-13\r\nFixed Date: 2019-February-12\r\nCVE Number: CVE-2019-7744\r\n\r\nDescription\r\nInadequate filtering on URL fields in various core components could lead to an XSS vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 2.5.0 through 3.9.2\r\nSolution\r\nUpgrade to version 3.9.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Antonin Steinhauser