Joomla! multiple vulnerabilities

Posted on Posted in Joomla

Description: Joomla team has announces a new CMS release that is aimed to address multiple known vulnerabilities in Joomla core.

Details:

  • Information Disclosure:
    • Multiple files caused full path disclosures on systems with enabled error reporting.
    • Mail sent using the JMail API leaked the used PHPMailer version in the mail headers.
  • ACL Violations:
    • Inadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
    • Inadequate filtering of form contents lead allow to overwrite the author of an article.
  • XSS Vulnerabilities:
    • Inadequate escaping of file and folder names leads to XSS vulnerabilites in the template manager component.
    • Inadequate filtering of specific HTML attributes leads to XSS vulnerabilites in various components.
    • Inadequate filtering of multibyte characters leads to XSS vulnerabilites in various components
    • Inadequate filtering leads to XSS in the template manager component

Affected versions: Joomla! CMS versions up to 3.6.5

Recommended action: Upgrade to version 3.7.0

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *