- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0-3.9.18
- Exploit type: Insecure Permissions
- Reported Date: 2020-April-23
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-XXX
Description
The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.
Affected Installs
Joomla! CMS versions 2.5.0 - 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
Reported By: Brain Teeman