Informations de sécurité Joomla!
-
[20210103] - Core - XSS in com_tags image parameters
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions:3.1.0 - 3.9.23
- Exploit type: XSS
- Reported Date: 2020-09-01
- Fixed Date: 2021-01-12
- CVE Number: CVE-2021-23125
Description
Lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.
Affected Installs
Joomla! CMS versions 3.1.0 - 3.9.23
Solution
Upgrade to version 3.9.24
Contact
The JSST at the Joomla! Security Centre.
Reported By:Šarūnas Paulauskas -
[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions:3.9.0 - 3.9.23
- Exploit type: XSS
- Reported Date: 2020-09-01
- Fixed Date: 2021-01-12
- CVE Number: CVE-2021-23124
Description
Lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.23
Solution
Upgrade to version 3.9.24
Contact
The JSST at the Joomla! Security Centre.
Reported By:Šarūnas Paulauskas -
[20210101] - Core - com_modules exposes module names
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions:3.0.0 - 3.9.23
- Exploit type: Incorrect Access Control
- Reported Date: 2020-07-07
- Fixed Date: 2021-01-12
- CVE Number: CVE-2021-23123
Description
Lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.
Affected Installs
Joomla! CMS versions 3.0.0 - 3.9.23
Solution
Upgrade to version 3.9.24
Contact
The JSST at the Joomla! Security Centre.
Reported By:Phil Taylor -
[20201107] - Core - Write ACL violation in multiple core views
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Versions:1.7.0 - 3.9.22
- Exploit type: ACL Violation
- Reported Date: 2018-11-04
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35616
Description
Lack of input validation while handling ACL rulesets can cause write ACL violations.
Affected Installs
Joomla! CMS versions 1.7.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: Elisa Foltyn, Benjamin Trenkle -
[20201106] - Core - CSRF in com_privacy emailexport feature
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.9.0-3.9.22
- Exploit type: CSRF
- Reported Date: 2020-10-08
- Fixed Date: 2020-11-24
- CVE Number: CVE-2020-35615
Description
A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.9.0 - 3.9.22
Solution
Upgrade to version 3.9.23
Contact
The JSST at the Joomla! Security Centre.
Reported By: Lee Thao from Viettel Cyber Security
- Soleiluna
- Gite du Sacriba
- Hôtel Le Céans
- Domaine Belle Plage
- Mango Lodge
- Chalet des Cinq Domes
- Hôtel Restaurant La Cremaillère
- Les Hauts Pâturages
- La Tabletterie
- Château du Doux
- Auberge Le Cheylet
- Ferme Auberge de la Besse
- Le Relais du Buis d'Aps
- Auberge du Pont d'Arc
- Au Vieux Guide
- L'Aubergiste Gourmand
- Le Tour du Monde
- La Rabouillère
- Hôtel Restaurant Le Raisin
- Gîte la Fruitière Solaison