Joomla Update Blog

Most if not all issues with Joomla installations have to do with not timely update your Joomla version, below you will find the standard Security RSS feed of Joomla; these are only the updates you may need for the CORE of the software, not for any additional plugins you may have installed. It is important to always check your CORE Joomla files but do not forget your added components or plugins. Also always remove any unused components, themes or plugins for any installation (Joomla or any other software product).

\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: High\r\nSeverity: Low\r\nVersions: 3.7.0 through 3.8.3\r\nExploit type: SQLi\r\nReported Date: 2017-November-17\r\nFixed Date: 2018-January-30\r\nCVE Number: CVE-2018-6376\r\n\r\nDescription\r\nThe lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.\r\nAffected Installs\r\nJoomla! CMS versions 3.7.0 through 3.8.3\r\nSolution\r\nUpgrade to version 3.8.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Karim Ouerghemmi, ripstech.com
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Moderate\r\nSeverity: Low\r\nVersions: 1.5.0 through 3.8.3\r\nExploit type: XSS\r\nReported Date: 2017-November-17\r\nFixed Date: 2018-January-30\r\nCVE Number: CVE-2018-6379\r\n\r\nDescription\r\nInadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.\r\nAffected Installs\r\nJoomla! CMS versions 1.5.0 through 3.8.3\r\nSolution\r\nUpgrade to version 3.8.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Octavian Cinciu
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Moderate\r\nSeverity: Low\r\nVersions: 3.7.0 through 3.8.3\r\nExploit type: XSS\r\nReported Date: 2018-January-20\r\nFixed Date: 2018-January-30\r\nCVE Number: CVE-2018-6377\r\n\r\nDescription\r\nInadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.\r\nAffected Installs\r\nJoomla! CMS versions 3.7.0 through 3.8.3\r\nSolution\r\nUpgrade to version 3.8.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Benjamin Trenkle, JSST
\r\nProject: Joomla!\r\nSubProject: CMS\r\nImpact: Moderate\r\nSeverity: Low\r\nVersions: 3.0.0 through 3.8.3\r\nExploit type: XSS\r\nReported Date: 2018-January-21\r\nFixed Date: 2018-January-30\r\nCVE Number: CVE-2018-6380\r\n\r\nDescription\r\nLack of escaping in the module chromes leads to XSS vulnerabilities in the module system.\r\nAffected Installs\r\nJoomla! CMS versions 3.0.0 through 3.8.3\r\nSolution\r\nUpgrade to version 3.8.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: David Jardin, JSST
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 3.7.0 through 3.8.1\r\nExploit type: Information Disclosure\r\nReported Date: 2017-May-17\r\nFixed Date: 2017-November-07\r\nCVE Number: CVE-2017-16633 \r\n\r\nDescription\r\nA logic bug in com_fields exposed read-only information about a site\'s custom fields to unauthorized users.\r\nAffected Installs\r\nJoomla! CMS versions 3.7.0 through 3.8.1\r\nSolution\r\nUpgrade to version 3.8.2\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Internal JSST audit
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Medium\r\nVersions: 3.2.0 through 3.8.1\r\nExploit type: \r\nReported Date: 2017-October-31\r\nFixed Date: 2017-November-07\r\nCVE Number: CVE-2017-16634 \r\n\r\nDescription\r\nA bug allowed third parties to bypass a user\'s 2-factor-authentication method.\r\nAffected Installs\r\nJoomla! CMS versions 3.2.0 through 3.8.1\r\nSolution\r\nUpgrade to version 3.8.2\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Yarince
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Medium\r\nVersions: 1.5.0 through 3.8.1\r\nExploit type: Information Disclosure\r\nReported Date: 2017-October-06\r\nFixed Date: 2017-November-07\r\nCVE Number: CVE-2017-14596\r\n\r\nDescription\r\nInadequate escaping in the LDAP authentication plugin can result in disclosure of username and password.\r\nAffected Installs\r\nJoomla! CMS versions 1.5.0 through 3.8.1\r\nSolution\r\nUpgrade to version 3.8.2\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Dr. Johannes Dahse, RIPS Technologies GmbH
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Medium\r\nVersions: 1.5.0 through 3.7.5\r\nExploit type: Information Disclosure\r\nReported Date: 2017-July-27\r\nFixed Date: 2017-September-19\r\nCVE Number: CVE-2017-14596\r\n\r\nDescription\r\nInadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.\r\nAffected Installs\r\nJoomla! CMS versions 1.5.0 through 3.7.5\r\nSolution\r\nUpgrade to version 3.8.0\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Dr. Johannes Dahse, RIPS Technologies GmbH
\r\nProject: Joomla!\r\nSubProject: CMS\r\nSeverity: Low\r\nVersions: 3.7.0 through 3.7.5\r\nExploit type: Information Disclosure\r\nReported Date: 2017-August-4\r\nFixed Date: 2017-September-19\r\nCVE Number: CVE-2017-14595\r\n\r\nDescription\r\nA logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.\r\nAffected Installs\r\nJoomla! CMS versions 3.7.0 through 3.7.5\r\nSolution\r\nUpgrade to version 3.8.0\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Michal Prochaczek
\r\nProject: Joomla!\r\nSubProject: CMS Installer\r\nSeverity: High\r\nVersions: 1.0.0 through 3.7.3\r\nExploit type: Lack of Ownership Verification\r\nReported Date: 2017-Apr-06\r\nFixed Date: 2017-July-25\r\nCVE Number: CVE-2017-11364\r\n\r\nDescription\r\nThe CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.\r\nPlease note: Already installed sites are not affected, as this issue is limited to the installer application!\r\nAffected Installs\r\nJoomla! CMS versions 1.0.0 through 3.7.3\r\nSolution\r\nUpgrade to version 3.7.4\r\nContact\r\nThe JSST at the Joomla! Security Centre.\r\nReported By: Hanno Böck