[20201103] – Core – Path traversal in mod_random_image

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Versions: 2.5.0-3.9.22
  • Exploit type: Path traversal
  • Reported Date: 2020-10-06
  • Fixed Date: 2020-11-24
  • CVE Number: CVE-2020-xxx (TBA)

Description

The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.22

Solution

Upgrade to version 3.9.23

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lee Thao from Viettel Cyber Security, Phil Taylor

Leave a Comment