Joomla Security Updates – January 2011
January 12, 2011 in Technology|Security Updates
Joomla! Security News
- [20101101] – Core – XSS Vulnerabilities
- [20101001] – Core – XSS Vulnerabilities
- [20100701] – Core – SQL Injection / Internal Path Exposure
- [20100702] – Core – XSS Vulnerabillitis in Back End
- [20100703] – Core – XSS Vulnerabilities in Back End
- [20100704] – Core – XSS Vulnerabilities in Back End
- [20100501] – Core – XSS Vulnerabilities in Back End
- [20100423] – Core – Negative Values for Limit and Offset
- [20100423] – Core – Installer Migration Script
| [20101101] – Core – XSS Vulnerabilities
Posted: 04 Nov 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Low § Versions: 1.5.21 and all previous 1.5 releases § Exploit type: SQL Injection – Information Disclosure § Reported Date: 2010-October-05 § Fixed Date: 2010-November-04 DescriptionInadequate filtering of request variables causes database errors. Affected InstallsAll 1.5.x installs prior to and including 1.5.21 are affected. SolutionUpgrade to the latest Joomla! version (1.5.22 or later) Reported by YGN Ethical Hacker Group ContactThe JSST at the Joomla! Security Center. |
| [20101001] – Core – XSS Vulnerabilities
Posted: 08 Oct 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.20 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-October-05 § Fixed Date: 2010-October-08 DescriptionInadequate filtering of multiple encoded entities permits XSS attacks in some circumstances. Affected InstallsAll 1.5.x installs prior to and including 1.5.20 are affected. SolutionUpgrade to the latest Joomla! version (1.5.21 or later) Reported by YGN Ethical Hacker Group ContactThe JSST at the Joomla! Security Center. |
| [20100701] – Core – SQL Injection / Internal Path Exposure
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Low § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: Internal Path Exposure § Reported Date: 2010-June-10 § Fixed Date: 2010-July-15 DescriptionBack-end user can create MySQL error which shows internal path information in the error message. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by Andy Gorges ContactThe JSST at the Joomla! Security Center. |
| [20100702] – Core – XSS Vulnerabillitis in Back End
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-June-8 § Fixed Date: 2010-July-15 DescriptionBack-end user can inject Javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by José Antonio Vázquez González ContactThe JSST at the Joomla! Security Center. |
| [20100703] – Core – XSS Vulnerabilities in Back End
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-June-8 § Fixed Date: 2010-July-15 DescriptionBack-end user can inject Javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by José Antonio Vázquez González ContactThe JSST at the Joomla! Security Center. |
| [20100704] – Core – XSS Vulnerabilities in Back End
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-June-1 § Fixed Date: 2010-July-15 DescriptionBack-end user can inject Javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by Mesut Timur. ContactThe JSST at the Joomla! Security Center. |
| [20100501] – Core – XSS Vulnerabilities in Back End
Posted: 27 May 2010 05:00 PM PDT § Project: Joomla! § SubProject: All § Severity: High § Versions: 1.5.17 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-May-13 § Fixed Date: 2010-May-28 DescriptionBack-end user can inject javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.17 are affected. SolutionUpgrade to the latest Joomla! version (1.5.18 or later) Reported by Riyaz Ahemed ContactThe JSST at the Joomla! Security Center. |
| [20100423] – Core – Negative Values for Limit and Offset
Posted: 23 Apr 2010 10:31 AM PDT § Project: Joomla! § SubProject: All § Severity: Moderate § Versions: 1.5.15 and all previous 1.5 releases § Exploit type: information Disclosure § Reported Date: 2010-Feb-21 § Fixed Date: 2010-Apr-23 DescriptionIf a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system. Affected InstallsAll 1.5.x installs prior to and including 1.5.15 are affected. SolutionUpgrade to the latest Joomla! version (1.5.16 or later) Reported by Security List ContactThe JSST at the Joomla! Security Center. |
| [20100423] – Core – Installer Migration Script
Posted: 23 Apr 2010 10:27 AM PDT § Project: Joomla! § SubProject: All § Severity: Low § Versions: 1.5.15 and all previous 1.5 releases § Exploit type: Code upload § Reported Date: 2009-Dec-30 § Fixed Date: 2010-Apr-23 DescriptionThe migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server. Affected InstallsAll 1.5.x installs prior to and including 1.5.15 are affected. SolutionUpgrade to the latest Joomla! version (1.5.16 or later) Reported by Nicola Bettini ContactThe JSST at the Joomla! Security Center. |
