Ranljive razširitve

    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
    • Exploit type: ACL Violation
    • Reported Date: 2024-08-26
    • Fixed Date: 2025-01-07
    • CVE Number: CVE-2024-40749

    Description

    Improper Access Controls allows access to protected views.

    Affected Installs

    Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

    Solution

    Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Dominik Ziegelmüller
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
    • Exploit type: XSS
    • Reported Date: 2024-09-19
    • Fixed Date: 2025-01-07
    • CVE Number: CVE-2024-40748

    Description

    Lack of output escaping in the id attribute of menu lists.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

    Solution

    Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Lokesh Dachepalli
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:4.0.0-4.4.9, 5.0.0-5.2.2
    • Exploit type: XSS
    • Reported Date: 2024-08-29
    • Fixed Date: 2025-01-07
    • CVE Number: CVE-2024-40747

    Description

    Various module chromes didn't properly process inputs, leading to XSS vectors.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2

    Solution

    Upgrade to version 4.4.10 or 5.2.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Catalin Iovita
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions:3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
    • Exploit type: XSS
    • Reported Date: 2024-07-22
    • Fixed Date: 2024-08-20
    • CVE Number: CVE-2024-40743

    Description

    The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

    Solution

    Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Jesper den Boer
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Moderate
    • Probability: Low
    • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
    • Exploit type: XSS
    • Reported Date: 2024-07-22
    • Fixed Date: 2024-08-20
    • CVE Number: CVE-2024-27187

    Description

    Improper Access Controls allows backend users to overwrite their username when disallowed.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

    Solution

    Upgrade to version 4.4.7 or 5.1.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Elysee Franchuk
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Moderate
    • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
    • Exploit type: XSS
    • Reported Date: 2024-07-22
    • Fixed Date: 2024-08-20
    • CVE Number: CVE-2024-27186

    Description

    The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

    Affected Installs

    Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

    Solution

    Upgrade to version 4.4.7 or 5.1.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Elysee Franchuk
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
    • Exploit type: Cache Poisoning
    • Reported Date: 2024-05-23
    • Fixed Date: 2024-08-20
    • CVE Number: CVE-2024-27185

    Description

    The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

    Solution

    Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Shane Edwards
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Probability: Low
    • Versions: 3.4.6-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
    • Exploit type: Open redirect
    • Reported Date: 2024-03-20
    • Fixed Date: 2024-08-20
    • CVE Number: CVE-2024-27184

    Description

    Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

    Affected Installs

    Joomla! CMS versions 3.4.6-3.10.16-elts,4.0.0-4.4.6, 5.0.0-5.1.2

    Solution

    Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Gareth Heyes (PortSwigger Research) & Teodor Ivanov
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions:3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
    • Exploit type: XSS
    • Reported Date: 2024-06-09
    • Fixed Date: 2024-07-09
    • CVE Number: CVE-2024-26278

    Description

    The Custom Fields component not correctly filter inputs, leading to a XSS vector.

    Affected Installs

    Joomla! CMS versions 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

    Solution

    Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Jesper den Boer
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Moderate
    • Probability: Low
    • Versions:3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
    • Exploit type: XSS
    • Reported Date: 2024-06-08
    • Fixed Date: 2024-07-09
    • CVE Number: CVE-2024-26279

    Description

    The wrapper extensions do not correctly validate inputs, leading to XSS vectors.

    Affected Installs

    Joomla! CMS versions 3.0.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

    Solution

    Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:  Jesper den Boer
© SiJoomla. Vse pravice pridržane.