Following issues found in Joomla. Please upgrade your Joomla site to Version 3.7.0 as soon as possible.

[20170408] - Core - Information Disclosure

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.4.0 through 3.6.5
  • Exploit type: Information Disclosure
  • Reported Date: 2016-Feb-06
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-8057

Description

Multiple files caused full path disclosures on systems with enabled error reporting.

Affected Installs

Joomla! CMS versions 3.4.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sim of tencent security
 

[20170407] - Core - ACL Violations

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.2.0 through 3.6.5
  • Exploit type: ACL Violation
  • Reported Date: 2017-March-01
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7989

Description

Inadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Abdullah Hussam

[20170406] - Core - ACL Violations

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.6.0 through 3.6.5
  • Exploit type: ACL Violation
  • Reported Date: 2016-April-29
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7988

Description

Inadequate filtering of form contents lead allow to overwrite the author of an article.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: T-Systems Multimedia Solutions

[20170405] - Core - XSS Vulnerability

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.2.0 through 3.6.5
  • Exploit type: XSS
  • Reported Date: 2016-February-28
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7987

Description

Inadequate escaping of file and folder names leads to XSS vulnerabilites in the template manager component.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: David Jardin

[20170404] - Core - XSS Vulnerability

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.5.0 through 3.6.5
  • Exploit type: XSS
  • Reported Date: 2017-February-22
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7986

Description

Inadequate filtering of specific HTML attributes leads to XSS vulnerabilites in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Fortinet's FortiGuard Labs

[20170403] - Core - XSS Vulnerability

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.5.0 through 3.6.5
  • Exploit type: XSS
  • Reported Date: 2017-March-21
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7985

Description

Inadequate filtering of multibyte characters leads to XSS vulnerabilites in various components.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Fortinet's FortiGuard Labs

[20170402] - Core - XSS Vulnerability

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.2.0 through 3.6.5
  • Exploit type: XSS
  • Reported Date: 2016-December-23
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7984

Description

Inadequate filtering leads to XSS in the template manager component.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Chen Ruiqi

[20170401] - Core - Information Disclosure

Posted: 25 Apr 2017 08:30 AM PDT

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.5.0 through 3.6.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-Jan-02
  • Fixed Date: 2017-April-25
  • CVE Number: CVE-2017-7983

Description

Mail sent using the JMail API leaked the used PHPMailer version in the mail headers.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.6.5

Solution

Upgrade to version 3.7.0

Contact

The JSST at the Joomla! Security Centre.

Reported By: Conor McKnight


Wednesday, April 26, 2017







« Back