Joomla News

Joomla matters
In diesem Bereich veröffentlichen wir unser News zum Thema Joomla! und seinen unzähligen Erweiterungen GOTO https://extensions.joomla.org
Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 3.4.6-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 Exploit type: Open redirect Reported Date: 2024-03-20 Fixed Date: 2024-08-20 CVE Number: CVE-2024-27184 Description Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not. Affected Installs Joomla! CMS versions 3.4.6-3.10.16-elts,4.0.0-4.4.6, 5.0.0-5.1.2 Solution Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3 Contact The JSST at the Joomla! Security Centre. Reported By:  Gareth Heyes (PortSwigger Research) & Teodor Ivanov...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 Exploit type: Cache Poisoning Reported Date: 2024-05-23 Fixed Date: 2024-08-20 CVE Number: CVE-2024-27185 Description The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. Affected Installs Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 Solution Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3 Contact The JSST at the Joomla! Security Centre. Reported By:  Shane Edwards...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Moderate Versions: 4.0.0-4.4.6, 5.0.0-5.1.2 Exploit type: XSS Reported Date: 2024-07-22 Fixed Date: 2024-08-20 CVE Number: CVE-2024-27186 Description The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions. Affected Installs Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2 Solution Upgrade to version 4.4.7 or 5.1.3 Contact The JSST at the Joomla! Security Centre. Reported By:  Elysee Franchuk...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 4.0.0-4.4.6, 5.0.0-5.1.2 Exploit type: XSS Reported Date: 2024-07-22 Fixed Date: 2024-08-20 CVE Number: CVE-2024-27187 Description Improper Access Controls allows backend users to overwrite their username when disallowed. Affected Installs Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2 Solution Upgrade to version 4.4.7 or 5.1.3 Contact The JSST at the Joomla! Security Centre. Reported By:  Elysee Franchuk...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 Exploit type: XSS Reported Date: 2024-07-22 Fixed Date: 2024-08-20 CVE Number: CVE-2024-40743 Description The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors. Affected Installs Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 Solution Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3 Contact The JSST at the Joomla! Security Centre. Reported By:  Jesper den Boer...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Moderate Versions: 4.0.0-4.4.5, 5.0.0-5.1.1 Exploit type: XSS Reported Date: 2024-02-20 Fixed Date: 2024-07-09 CVE Number: CVE-2024-21729 Description Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field. Affected Installs Joomla! CMS versions 4.0.0-4.4.5, 5.0.0-5.1.1 Solution Upgrade to version 4.4.6 or 5.1.2 Contact The JSST at the Joomla! Security Centre. Reported By:  Marco Kadlubski...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 4.0.0-4.4.5, 5.0.0-5.1.1 Exploit type: XSS Reported Date: 2024-06-03 Fixed Date: 2024-07-09 CVE Number: CVE-2024-21730 Description The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector. Affected Installs Joomla! CMS versions 4.0.0-4.4.5, 5.0.0-5.1.1 Solution Upgrade to version 4.4.6 or 5.1.2 Contact The JSST at the Joomla! Security Centre. Reported By:  Jesper den Boer...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Low Versions: 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1 Exploit type: XSS Reported Date: 2024-06-08 Fixed Date: 2024-07-09 CVE Number: CVE-2024-21731 Description Improper handling of input could lead to an XSS vector in the StringHelper::truncate method. Affected Installs Joomla! CMS versions 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1 Solution Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2 Contact The JSST at the Joomla! Security Centre. Reported By:  Jesper den Boer...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Low Versions: 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1 Exploit type: XSS Reported Date: 2024-06-08 Fixed Date: 2024-07-09 CVE Number: CVE-2024-26278 Description The wrapper extensions do not correctly validate inputs, leading to XSS vectors. Affected Installs Joomla! CMS versions 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1 Solution Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2 Contact The JSST at the Joomla! Security Centre. Reported By:  Jesper den Boer...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Low Versions: 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1 Exploit type: XSS Reported Date: 2024-06-09 Fixed Date: 2024-07-09 CVE Number: CVE-2024-26279 Description The Custom Fields component not correctly filter inputs, leading to a XSS vector. Affected Installs Joomla! CMS versions 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1 Solution Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2 Contact The JSST at the Joomla! Security Centre. Reported By:  Jesper den Boer...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Exploit type: Insufficient Session Expiration Reported Date: 2023-11-29 Fixed Date: 2024-02-20 CVE Number: CVE-2024-21722 Description The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified. Affected Installs Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Solution Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3 Contact The JSST at the Joomla! Security Centre....

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Exploit type: Open Redirect Reported Date: 2023-11-08 Fixed Date: 2024-02-20 CVE Number: CVE-2024-21723 Description Inadequate parsing of URLs could result into an open redirect. Affected Installs Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Solution Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3 Contact The JSST at the Joomla! Security Centre....

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Probability: Moderate Versions: 1.6.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Exploit type: XSS Reported Date: 2024-01-09 Fixed Date: 2024-02-20 CVE Number: CVE-2024-21724 Description Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions. Affected Installs Joomla! CMS versions 1.6.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Solution Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3 Contact The JSST at the Joomla! Security Centre....

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: Moderate Severity: High Probability: High Versions: 4.0.0-4.4.2, 5.0.0-5.0.2 Exploit type: XSS Reported Date: 2024-01-30 Fixed Date: 2024-02-20 CVE Number: CVE-2024-21725 Description Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. Affected Installs Joomla! CMS versions 4.0.0-4.4.2, 5.0.0-5.0.2 Solution Upgrade to version 4.4.3 or 5.0.3 Contact The JSST at the Joomla! Security Centre....

Joomla.org SicherheitsmeldungenProject: Joomla! / Joomla! Framework SubProject: CMS / filter Impact: Moderate Severity: Moderate Probability: Moderate Versions: 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Exploit type: XSS Reported Date: 2023-11-22 Fixed Date: 2024-02-20 CVE Number: CVE-2024-21726 Description Inadequate content filtering leads to XSS vulnerabilities in various components. Affected Installs Joomla! CMS versions 3.7.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2 Solution Upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3 Contact The JSST at the Joomla! Security Centre....

vel.joomla.org Vulnerable ExtensionsosTicky2, , 3rd party extension, Otherabandoned - remove from site...

Joomla.org SicherheitsmeldungenProject: Joomla! SubProject: CMS Impact: High Severity: High Probability: Low Versions: 1.6.0-4.4.0, 5.0.0 Exploit type: Information Disclosure Reported Date: 2023-07-14 Fixed Date: 2023-11-21 CVE Number: CVE-2023-40626 Description The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information. Affected Installs Joomla! CMS versions 1.6.0-4.4.0, 5.0.0 Solution Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1 Contact The JSST at the Joomla! Security Centre....

vel.joomla.org Vulnerable ExtensionsEasyShop, 1.4.1, 3rd party extension, XSS (Cross Site Scripting)...

vel.joomla.org Resolved ExtensionsLazyDbBackup, 3.9.0, 3rd party extension, Other LazyDbBackup Version:   4.0.8   Developer:   Robert Gastaud   Last updated:   Oct 17 20232 days ago  ...

vel.joomla.org Resolved ExtensionsHikaShop Starter 4.7.5 [2308101603], HikaShop Starter 4.7.5 [2308101603], 3rd party extension, XSS (Cross Site Scripting)developer statement     We fixed a stored XSS trough SVG file upload security issue. You can read more about it here.Note that it only affects HikaShop versions above the 4.6.2 up to the 5.0.1 and not if you updated HikaShop from previous versions as default support of SVG images for the upload of images was only added in the 4.7.0 for new installations of HikaShop. Also, it requires access to the backend of the website to perform, and can be avoided easily by removing the possibility of uploading svg files in the HikaShop configuration's "allowed images" setting or updating your HikaShop to the 5.0.2  ...

Weiter