Posts Tagged ‘joomla’
Joomla Security Updates – January 2011
Joomla! Security News
- [20101101] – Core – XSS Vulnerabilities
- [20101001] – Core – XSS Vulnerabilities
- [20100701] – Core – SQL Injection / Internal Path Exposure
- [20100702] – Core – XSS Vulnerabillitis in Back End
- [20100703] – Core – XSS Vulnerabilities in Back End
- [20100704] – Core – XSS Vulnerabilities in Back End
- [20100501] – Core – XSS Vulnerabilities in Back End
- [20100423] – Core – Negative Values for Limit and Offset
- [20100423] – Core – Installer Migration Script
| [20101101] – Core – XSS Vulnerabilities
Posted: 04 Nov 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Low § Versions: 1.5.21 and all previous 1.5 releases § Exploit type: SQL Injection – Information Disclosure § Reported Date: 2010-October-05 § Fixed Date: 2010-November-04 DescriptionInadequate filtering of request variables causes database errors. Affected InstallsAll 1.5.x installs prior to and including 1.5.21 are affected. SolutionUpgrade to the latest Joomla! version (1.5.22 or later) Reported by YGN Ethical Hacker Group ContactThe JSST at the Joomla! Security Center. |
| [20101001] – Core – XSS Vulnerabilities
Posted: 08 Oct 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.20 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-October-05 § Fixed Date: 2010-October-08 DescriptionInadequate filtering of multiple encoded entities permits XSS attacks in some circumstances. Affected InstallsAll 1.5.x installs prior to and including 1.5.20 are affected. SolutionUpgrade to the latest Joomla! version (1.5.21 or later) Reported by YGN Ethical Hacker Group ContactThe JSST at the Joomla! Security Center. |
| [20100701] – Core – SQL Injection / Internal Path Exposure
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Low § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: Internal Path Exposure § Reported Date: 2010-June-10 § Fixed Date: 2010-July-15 DescriptionBack-end user can create MySQL error which shows internal path information in the error message. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by Andy Gorges ContactThe JSST at the Joomla! Security Center. |
| [20100702] – Core – XSS Vulnerabillitis in Back End
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-June-8 § Fixed Date: 2010-July-15 DescriptionBack-end user can inject Javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by José Antonio Vázquez González ContactThe JSST at the Joomla! Security Center. |
| [20100703] – Core – XSS Vulnerabilities in Back End
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-June-8 § Fixed Date: 2010-July-15 DescriptionBack-end user can inject Javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by José Antonio Vázquez González ContactThe JSST at the Joomla! Security Center. |
| [20100704] – Core – XSS Vulnerabilities in Back End
Posted: 15 Jul 2010 09:04 AM PDT § Project: Joomla! § SubProject: All § Severity: Medium § Versions: 1.5.19 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-June-1 § Fixed Date: 2010-July-15 DescriptionBack-end user can inject Javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.19 are affected. SolutionUpgrade to the latest Joomla! version (1.5.20 or later) Reported by Mesut Timur. ContactThe JSST at the Joomla! Security Center. |
| [20100501] – Core – XSS Vulnerabilities in Back End
Posted: 27 May 2010 05:00 PM PDT § Project: Joomla! § SubProject: All § Severity: High § Versions: 1.5.17 and all previous 1.5 releases § Exploit type: XSS Injection § Reported Date: 2010-May-13 § Fixed Date: 2010-May-28 DescriptionBack-end user can inject javascript in various administrator screens. Affected InstallsAll 1.5.x installs prior to and including 1.5.17 are affected. SolutionUpgrade to the latest Joomla! version (1.5.18 or later) Reported by Riyaz Ahemed ContactThe JSST at the Joomla! Security Center. |
| [20100423] – Core – Negative Values for Limit and Offset
Posted: 23 Apr 2010 10:31 AM PDT § Project: Joomla! § SubProject: All § Severity: Moderate § Versions: 1.5.15 and all previous 1.5 releases § Exploit type: information Disclosure § Reported Date: 2010-Feb-21 § Fixed Date: 2010-Apr-23 DescriptionIf a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system. Affected InstallsAll 1.5.x installs prior to and including 1.5.15 are affected. SolutionUpgrade to the latest Joomla! version (1.5.16 or later) Reported by Security List ContactThe JSST at the Joomla! Security Center. |
| [20100423] – Core – Installer Migration Script
Posted: 23 Apr 2010 10:27 AM PDT § Project: Joomla! § SubProject: All § Severity: Low § Versions: 1.5.15 and all previous 1.5 releases § Exploit type: Code upload § Reported Date: 2009-Dec-30 § Fixed Date: 2010-Apr-23 DescriptionThe migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server. Affected InstallsAll 1.5.x installs prior to and including 1.5.15 are affected. SolutionUpgrade to the latest Joomla! version (1.5.16 or later) Reported by Nicola Bettini ContactThe JSST at the Joomla! Security Center. |
Joomla Security Update: Core – Installer Migration Script
Core – Installer Migration Script
Posted: 23 Apr 2010 10:27 AM PDT
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 1.5.15 and all previous 1.5 releases
- Exploit type: Code upload
- Reported Date: 2009-Dec-30
- Fixed Date: 2010-Apr-23
Description: The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server.
Affected Installs: All 1.5.x installs prior to and including 1.5.15 are affected.
Solution: Upgrade to the latest Joomla! version (1.5.16 or later)
Joomla Security Update: Core – Sessation Fixation
Joomla Security Update: Core – Sessation Fixation
Posted: 23 Apr 2010 10:22 AM PDT
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 1.5.15 and all previous 1.5 releases
- Exploit type: Session fixation
- Reported Date: 2010-Mar-25
- Fixed Date: 2010-Apr-23
Description: Session id doesn’t get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user.
Affected Installs: All 1.5.x installs prior to and including 1.5.15 are affected.
Solution: Upgrade to the latest Joomla! version (1.5.16 or later)
Joomla security update – Core – Password Reset Tokens
If your site is built in Joomla, be sure to pass this important Joomla security alert along to your IT guru.
[20100423] – Core – Password Reset Tokens
Posted: 22 Apr 2010 05:00 PM PDT
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 1.5.15 and all previous 1.5 releases
- Exploit type: Unauthorized Access
- Reported Date: 2010-Jan-07
- Fixed Date: 2010-Apr-23
Description: When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.
Affected Installs: All 1.5.x installs prior to and including 1.5.15 are affected.
Solution: Upgrade to the latest Joomla! version (1.5.16 or later)
More Information: Joomla! Security Center.
