HomeJoomla!NewsfeedsJoomla! Security News

Newsfeeds Security Announcements

  • [20200403] - Core - Incorrect access control in com_users access level deletion function
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 2.5.0 - 3.9.16
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-March-13
    • Fixed Date: 2020-April-21
    • CVE Number: CVE-2020-11889

    Description

    Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

    Affected Installs

    Joomla! CMS versions 2.5.0 - 3.9.16

    Solution

    Upgrade to version 3.9.17

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC


  • [20200402] - Core - Missing checks for the root usergroup in usergroup table
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Moderate
    • Severity: Low
    • Versions: 2.5.0 - 3.9.16
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-February-27
    • Fixed Date: 2020-April-21
    • CVE Number: CVE-2020-11890

    Description

    Inproper input validations in the usergroup table class could lead to a broken ACL configuration.

    Affected Installs

    Joomla! CMS versions 2.5.0 - 3.9.16

    Solution

    Upgrade to version 3.9.17

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC


  • [20200401] - Core - Incorrect access control in com_users access level editing function
    • Project: Joomla!
    • SubProject: CMS
    • Impact: Low
    • Severity: Low
    • Versions: 3.8.8 - 3.9.16
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-March-13
    • Fixed Date: 2020-April-21
    • CVE Number: CVE-2020-11891

    Description

    Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.

    Affected Installs

    Joomla! CMS versions 3.8.8 - 3.9.16

    Solution

    Upgrade to version 3.9.17

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC


  • [20200306] - Core - SQL injection in Featured Articles menu parameters
    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 1.7.0-3.9.15
    • Exploit type: SQL Injection
    • Reported Date: 2020-March-9
    • Fixed Date: 2020-March-10
    • CVE Number: CVE-2020-10243

    Description

    The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.

    Affected Installs

    Joomla! CMS versions 1.7.0 - 3.9.15

    Solution

    Upgrade to version 3.9.16

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Sam Thomas, Pentest.co.uk


  • [20200305] - Core - Incorrect Access Control in com_fields SQL field
    • Project: Joomla!
    • SubProject: CMS
    • Impact: High
    • Severity: Low
    • Versions: 3.7.0-3.9.15
    • Exploit type: Incorrect Access Control
    • Reported Date: 2020-February-28
    • Fixed Date: 2020-March-10
    • CVE Number: CVE-2020-10239

    Description

    Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

    Affected Installs

    Joomla! CMS versions 3.7.0 - 3.9.15

    Solution

    Upgrade to version 3.9.16

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Hoang Kien from VSEC


Go to top

NOTE! This site uses cookies and similar technologies.

If you not change browser settings, you agree to it. Learn more

I understand