Security Centre

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 3.0.0 through 3.8.3
Exploit type: XSS
Reported Date: 2018-January-21
Fixed Date: 2018-January-30
CVE Number: CVE-2018-6380

Description
Lack of escaping in the module chromes le…

Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 3.7.0 through 3.8.1
Exploit type: Information Disclosure
Reported Date: 2017-May-17
Fixed Date: 2017-November-07
CVE Number: CVE-2017-16633

Description
A logic bug in com_fields exposed read-o…

Project: Joomla!
SubProject: CMS
Severity: Medium
Versions: 3.2.0 through 3.8.1
Exploit type: 
Reported Date: 2017-October-31
Fixed Date: 2017-November-07
CVE Number: CVE-2017-16634

Description
A bug allowed third parties to bypass a user’s 2-factor…

Project: Joomla!
SubProject: CMS
Severity: Medium
Versions: 1.5.0 through 3.8.1
Exploit type: Information Disclosure
Reported Date: 2017-October-06
Fixed Date: 2017-November-07
CVE Number: CVE-2017-14596

Description
Inadequate escaping in the LDAP au…

Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 3.7.0 through 3.7.5
Exploit type: Information Disclosure
Reported Date: 2017-August-4
Fixed Date: 2017-September-19
CVE Number: CVE-2017-14595

Description
A logic bug in a SQL query could lead …

Project: Joomla!
SubProject: CMS
Severity: Medium
Versions: 1.5.0 through 3.7.5
Exploit type: Information Disclosure
Reported Date: 2017-July-27
Fixed Date: 2017-September-19
CVE Number: CVE-2017-14596

Description
Inadequate escaping in the LDAP auth…

• Project: Joomla!
• SubProject: CMS Installer
• Severity: High
• Versions: 1.0.0 through 3.7.3
• Exploit type: Lack of Ownership Verification
• Reported Date: 2017-Apr-06
• Fixed Date: 2017-July-25
• CVE Number: CVE-2017-11364

Description

The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.

Please note: Already installed sites are not affected, as this issue is limited to the installer application!

Affected Installs

Joomla! CMS versions 1.0.0 through 3.7.3

Solution

Upgrade to version 3.7.4

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: Low
• Versions: 1.5.0 through 3.7.3
• Exploit type: XSS
• Reported Date: 2017-April-26
• Fixed Date: 2017-July-25
• CVE Number: CVE-2017-11612

Description

Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.7.3

Solution

Upgrade to version 3.7.4

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: Low
• Versions: 1.5.0 through 3.6.5
• Exploit type: XSS
• Reported Date: 2017-June-22
• Fixed Date: 2017-July-04
• CVE Number: CVE-2017-7985

Description

Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.6.5

Solution

Upgrade to version 3.7.3

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: High
• Versions: 1.7.3 – 3.7.2
• Exploit type: Information Disclosure
• Reported Date: 2016-Feb-05
• Fixed Date: 2017-July-04
• CVE Number: CVE-2017-9933

Description

Improper cache invalidation leads to disclosure of form contents.

Affected Installs

Joomla! CMS versions 1.7.3-3.7.2

Solution

Upgrade to version 3.7.3

Contact

The JSST at the Joomla! Security Centre.