- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.2.0 - 3.9.24
- Exploit type: Insecure Randomness
- Reported Date: 2021-01-12
- Fixed Date: 2021-03-02
- CVE Number: CVE-2021-23126, CVE-2021-23127
Description
Usage of the insecure rand() function within the process of generating the 2FA secret.
Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
Please find more details on this doc page we prepared for this issue: https://docs.joomla.org/
This issue has been coordinated with Akeeba Ltd as contributor of the original FOF codebase to the core.
Affected Installs
Joomla! CMS versions 3.2.0 - 3.9.24
Solution
Upgrade to version 3.9.25
Contact
The JSST at the Joomla! Security Centre.
Reported By: Hanno Böck