Joomla News from JoomlaWebHosting.ca 
					 
				
							
	
  		
			
									Details							 
										
				
					Published: 08 November 2017				 
			 
						 
[20171103] - Core - Information Disclosure 
Posted: 07 Nov 2017 07:00 AM PST
Project:  Joomla!SubProject:  CMSSeverity:  LowVersions:  3.7.0 through 3.8.1Exploit type:  Information DisclosureReported Date:  2017-May-17Fixed Date:  2017-November-07CVE Number:  CVE-2017-16633   
Description 
A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.
Affected Installs 
Joomla! CMS versions 3.7.0 through 3.8.1
Solution 
Upgrade to version 3.8.2
Contact 
The JSST at the Joomla! Security Centre.
Reported By:  Internal JSST audit
 
 
 
[20171102] - Core - 2-factor-authentication bypass 
Posted: 07 Nov 2017 07:00 AM PST
Project:  Joomla!SubProject:  CMSSeverity:  MediumVersions:  3.2.0 through 3.8.1Exploit type:  Reported Date:  2017-October-31Fixed Date:  2017-November-07CVE Number:  CVE-2017-16634   
Description 
A bug allowed third parties to bypass a user's 2-factor-authentication method.
Affected Installs 
Joomla! CMS versions 3.2.0 through 3.8.1
Solution 
Upgrade to version 3.8.2
Contact 
The JSST at the Joomla! Security Centre.
Reported By:  Yarince
 
 
 
[20171101] - Core - LDAP Information Disclosure 
Posted: 07 Nov 2017 07:00 AM PST
Project:  Joomla!SubProject:  CMSSeverity:  MediumVersions:  1.5.0 through 3.8.1Exploit type:  Information DisclosureReported Date:  2017-October-06Fixed Date:  2017-November-07CVE Number:  CVE-2017-14596  
Description 
Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password.
Affected Installs 
Joomla! CMS versions 1.5.0 through 3.8.1
Solution 
Upgrade to version 3.8.2
Contact 
The JSST at the Joomla! Security Centre.
 
 
 
 
				 
									 
																	
						
				
	
  		
			
									Details							 
										
				
					Published: 20 September 2017				 
			 
						 
Description 
A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.
Affected Installs 
Joomla! CMS versions 3.7.0 through 3.7.5
Solution 
Upgrade to version 3.8.0
Description 
Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.
Affected Installs 
Joomla! CMS versions 1.5.0 through 3.7.5
Solution 
Upgrade to version 3.8.0
 
				 
				
							 
														
				
	
  		
			
									Details							 
										
				
					Published: 26 July 2017				 
			 
						 
Description 
The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control.
Please note:  Already installed sites are not  affected, as this issue is limited to the installer application!
Affected Installs 
Joomla! CMS versions 1.0.0 through 3.7.3
Solution 
Upgrade to version 3.7.4
				 
				
							 
							 
																			
						
				
	
  		
			
									Details							 
										
				
					Published: 05 July 2017				 
			 
						 
Description 
Improper cache invalidation leads to disclosure of form contents.
Affected Installs 
Joomla! CMS versions 1.7.3-3.7.2
Solution 
Upgrade to version 3.7.3
				 
				
							 
														
				
	
  		
			
									Details							 
										
				
					Published: 18 May 2017				 
			 
						 
Description 
Inadequate filtering of request data leads to a SQL Injection vulnerability.
Affected Installs 
Joomla! CMS versions 3.7.0
Solution 
Upgrade to version 3.7.1
				 
				
							 
							 
																			
						
				
	
  		
			
									Details							 
										
				
					Published: 26 April 2017				 
			 
						 
Description 
Multiple files caused full path disclosures on systems with enabled error reporting.
Affected Installs 
Joomla! CMS versions 3.4.0 through 3.6.5
Solution 
Upgrade to version 3.7.0
				 
				
							 
														
				
	
  		
			
									Details							 
										
				
					Published: 17 December 2016				 
			 
						 
[20161204] - Misc. Security Hardening 
Posted: 13 Dec 2016 09:00 PM PST
Project:  Joomla!SubProject:  CMS 
Description 
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user's ability to make potentially damaging configuration changes. This includes restricting the ability to set the "New User Registration Group" and "Guest User Group" to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.
Additionally, we have modified the behavior of JUser::authorise() to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to JAccess::check() can also return a null value; neither JUser::authorise() or JAccess::check() documented this though. We have determined that based on how the API is used that JUser::authorise() should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an "implicit" denied state versus "explicit" signified by boolean false), they should use JAccess::check() instead. The documentation for JAccess::check() has been updated to indicate the null return value as well.
Contact 
The JSST at the Joomla! Security Centre.
 
  
 
[20161203] - Core - Information Disclosure 
Posted: 13 Dec 2016 09:00 PM PST
Project:  Joomla!SubProject:  CMSSeverity:  LowVersions:  3.0.0 through 3.6.4Exploit type:  Information DisclosureReported Date:  2016-April-15Fixed Date:  2016-December-06CVE Number:  CVE-2016-9837  
Description 
Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.
Affected Installs 
Joomla! CMS versions 3.0.0 through 3.6.4
Solution 
Upgrade to version 3.6.5
Contact 
The JSST at the Joomla! Security Centre.
Reported By:  Christiaan Klatte and Brian Teeman
 
 
 
[20161202] - Core - Shell Upload 
Posted: 13 Dec 2016 09:00 PM PST
Project:  Joomla!SubProject:  CMSSeverity:  LowVersions:  3.0.0 through 3.6.4Exploit type:  Shell UploadReported Date:  2016-October-26Fixed Date:  2016-December-06CVE Number:  CVE-2016-9836  
Description 
Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.
Affected Installs 
Joomla! CMS versions 3.0.0 through 3.6.4
Solution 
Upgrade to version 3.6.5
Contact 
The JSST at the Joomla! Security Centre.
Reported By:  Xiphos Research Ltd.
 
 
 
[20161201] - Core - Elevated Privileges 
Posted: 13 Dec 2016 09:00 PM PST
Project:  Joomla!SubProject:  CMSSeverity:  HighVersions:  1.6.0 through 3.6.4Exploit type:  Elevated PrivilegesReported Date:  2016-November-04Fixed Date:  2016-December-06CVE Number:  CVE-2016-9838  
Description 
Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
Affected Installs 
Joomla! CMS versions 1.6.0 through 3.6.4
Solution 
Upgrade to version 3.6.5
Contact 
The JSST at the Joomla! Security Centre.
 
 
 
 
				 
				
							 
							 
				
	 
              		
	 Best Canadian Web Host for Joomla