Description: Joomla team has announces a new CMS release that is aimed to address multiple known vulnerabilities in Joomla core.
- Information Disclosure:
- Multiple files caused full path disclosures on systems with enabled error reporting.
- Mail sent using the JMail API leaked the used PHPMailer version in the mail headers.
- ACL Violations:
- Inadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
- Inadequate filtering of form contents lead allow to overwrite the author of an article.
- XSS Vulnerabilities:
- Inadequate escaping of file and folder names leads to XSS vulnerabilites in the template manager component.
- Inadequate filtering of specific HTML attributes leads to XSS vulnerabilites in various components.
- Inadequate filtering of multibyte characters leads to XSS vulnerabilites in various components
- Inadequate filtering leads to XSS in the template manager component
Affected versions: Joomla! CMS versions up to 3.6.5
Recommended action: Upgrade to version 3.7.0