Joomla Update Blog

Most if not all issues with Joomla installations have to do with not timely update your Joomla version, below you will find the standard Security RSS feed of Joomla; these are only the updates you may need for the CORE of the software, not for any additional plugins you may have installed. It is important to always check your CORE Joomla files but do not forget your added components or plugins. Also always remove any unused components, themes or plugins for any installation (Joomla or any other software product).

\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 1.5.0 through 3.7.3\r\nExploit type: XSS\r\nReported Date: 2017-April-26\r\nFixed Date: 2017-July-25\r\nCVE Number: CVE-2017-11612\r\n\r\nDescription\r\nInadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.\r\nAffected Installs\r\nJoomla! CMS versions 1.5.0 through 3.7.3\r\nSolution\r\nUpgrade to version 3.7.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Beat B, JSST
\r\nProject: Joomla!\r\nSubProject: CMS Installer\r\nSeverity: High\r\nVersions: 1.0.0 through 3.7.3\r\nExploit type: Lack of Ownership Verification\r\nReported Date: 2017-Apr-06\r\nFixed Date: 2017-July-25\r\nCVE Number: CVE-2017-11364\r\n\r\nDescription\r\nThe CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.\r\nPlease note: Already installed sites are not affected, as this issue is limited to the installer application!\r\nAffected Installs\r\nJoomla! CMS versions 1.0.0 through 3.7.3\r\nSolution\r\nUpgrade to version 3.7.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Hanno Böck
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 1.5.0 through 3.7.2\r\nExploit type: XSS\r\nReported Date: 2017-June-22\r\nFixed Date: 2017-July-04\r\nCVE Number: CVE-2017-7985\r\n\r\nDescription\r\nInadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.\r\nAffected Installs\r\nJoomla! CMS versions 1.5.0 through 3.6.5\r\nSolution\r\nUpgrade to version 3.7.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Fortinet\'s FortiGuard Labs
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: High\r\nVersions: 1.7.3 - 3.7.2\r\nExploit type: XSS\r\nReported Date: 2017-June-04\r\nFixed Date: 2017-July-04\r\nCVE Number: CVE-2017-9934\r\n\r\nDescription\r\nMissing CSRF token checks and improper input validation lead to an XSS vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 1.7.3-3.7.2\r\nSolution\r\nUpgrade to version 3.7.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Envo
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: High\r\nVersions: 1.7.3 - 3.7.2\r\nExploit type: Information Disclosure\r\nReported Date: 2016-Feb-05\r\nFixed Date: 2017-July-04\r\nCVE Number: CVE-2017-9933\r\n\r\nDescription\r\nImproper cache invalidation leads to disclosure of form contents.\r\nAffected Installs\r\nJoomla! CMS versions 1.7.3-3.7.2\r\nSolution\r\nUpgrade to version 3.7.3\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Jeff Channell
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: High\r\nVersions: 3.7.0\r\nExploit type: SQL Injection\r\nReported Date: 2017-May-11\r\nFixed Date: 2017-May-17\r\nCVE Number: CVE-2017-8917\r\n\r\nDescription\r\nInadequate filtering of request data leads to a SQL Injection vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 3.7.0\r\nSolution\r\nUpgrade to version 3.7.1\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Marc-Alexandre Montpas / sucuri.net
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 3.4.0 through 3.6.5\r\nExploit type: Information Disclosure\r\nReported Date: 2016-Feb-06\r\nFixed Date: 2017-April-25\r\nCVE Number: CVE-2017-8057\r\n\r\nDescription\r\nMultiple files caused full path disclosures on systems with enabled error reporting.\r\nAffected Installs\r\nJoomla! CMS versions 3.4.0 through 3.6.5\r\nSolution\r\nUpgrade to version 3.7.0\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Sim of tencent security
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 3.2.0 through 3.6.5\r\nExploit type: ACL Violation\r\nReported Date: 2017-March-01\r\nFixed Date: 2017-April-25\r\nCVE Number: CVE-2017-7989\r\n\r\nDescription\r\nInadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.\r\nAffected Installs\r\nJoomla! CMS versions 3.2.0 through 3.6.5\r\nSolution\r\nUpgrade to version 3.7.0\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Abdullah Hussam
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 1.6.0 through 3.6.5\r\nExploit type: ACL Violation\r\nReported Date: 2016-April-29\r\nFixed Date: 2017-April-25\r\nCVE Number: CVE-2017-7988\r\n\r\nDescription\r\nInadequate filtering of form contents lead allow to overwrite the author of an article.\r\nAffected Installs\r\nJoomla! CMS versions 1.6.0 through 3.6.5\r\nSolution\r\nUpgrade to version 3.7.0\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: T-Systems Multimedia Solutions
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 3.2.0 through 3.6.5\r\nExploit type: XSS\r\nReported Date: 2016-February-28\r\nFixed Date: 2017-April-25\r\nCVE Number: CVE-2017-7987\r\n\r\nDescription\r\nInadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.\r\nAffected Installs\r\nJoomla! CMS versions 3.2.0 through 3.6.5\r\nSolution\r\nUpgrade to version 3.7.0\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: David Jardin