Joomla! Security News

---

• [20140904] - Core - Denial of Service
• [20140903] - Core - Remote File Inclusion
• [20140902] - Core - Unauthorised Logins
• [20140901] - Core - XSS Vulnerability
• [20140301] - Core - SQL Injection
• [20140302] - Core - XSS Vulnerability
• [20140303] - Core - XSS Vulnerability
• [20140304] - Core - Unauthorised Logins
• [20131103] Core XSS Vulnerability
• [20131102] Core XSS Vulnerability
• [20131101] Core XSS Vulnerability

[20140904] - Core - Denial of Service Posted: 30 Sep 2014 12:00 PM PDT Project: Joomla! SubProject: CMS Severity: Low Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 Exploit type: Denial of Service Reported Date: 2014-September-24 Fixed Date: 2014-September-30 CVE Number: CVE-2014-7229 Description Inadequate checking allowed the potential for a denial of service attack. Affected Installs Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 Solution Upgrade to version 2.5.26, 3.2.6, or 3.3.5 Contact The JSST at the Joomla! Security Center. Reported By: Johannes Dahse

[20140903] - Core - Remote File Inclusion Posted: 30 Sep 2014 12:00 PM PDT Project: Joomla! SubProject: CMS Severity: Moderate Versions: 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 Exploit type: Remote File Inclusion Reported Date: 2014-September-24 Fixed Date: 2014-September-30 CVE Number: CVE-2014-7228 Description Inadequate checking allowed the potential for remote files to be executed. Affected Installs Joomla! CMS versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 Solution Upgrade to version 2.5.26, 3.2.6, or 3.3.5 Additional Details Please refer to AkeebaBackup.com for additional details. Contact The JSST at the Joomla! Security Center. Reported By: Johannes Dahse

[20140902] - Core - Unauthorised Logins Posted: 23 Sep 2014 12:00 PM PDT Project: Joomla! SubProject: CMS Severity: Moderate Versions: 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 through 3.3.3 Exploit type: Unauthorised Logins Reported Date: 2014-September-09 Fixed Date: 2014-September-23 CVE Number: CVE-2014-6632 Description Inadequate checking allowed unauthorised logins via LDAP authentication. Affected Installs Joomla! CMS versions 2.5.24 and earlier 2.5.x versions, 3.2.4 and earlier 3.x versions, 3.3.0 through 3.3.3 Solution Upgrade to version 2.5.25, 3.2.5, or 3.3.4 Contact The JSST at the Joomla! Security Center. Reported By: Matthew Daley

[20140901] - Core - XSS Vulnerability Posted: 23 Sep 2014 12:00 PM PDT Project: Joomla! SubProject: CMS Severity: Moderate Versions: 3.2.0 through 3.2.4, 3.3.0 through 3.3.3 Exploit type: XSS Vulnerability Reported Date: 2014-August-27 Fixed Date: 2014-September-23 CVE Number: CVE-2014-6631 Description Inadequate escaping leads to XSS vulnerability in com_media. Affected Installs Joomla! CMS versions 3.2.0 through 3.2.4 and 3.3.0 through 3.3.3 Solution Upgrade to version 3.2.5 or 3.3.4 Contact The JSST at the Joomla! Security Center. Reported By: Dingjie (Daniel) Yang

[20140301] - Core - SQL Injection Posted: 06 Mar 2014 12:30 PM PST Project: Joomla! SubProject: CMS Severity: High Versions: 3.1.0 through 3.2.2 Exploit type: SQL Injection Reported Date: 2014-February-06 Fixed Date: 2014-March-06 CVE Number: Pending Description Inadequate escaping leads to SQL injection vulnerability. Affected Installs Joomla! CMS versions 3.1.0 through 3.2.2 Solution Upgrade to version 3.2.3 Contact The JSST at the Joomla! Security Center. Reported By: ??

[20140302] - Core - XSS Vulnerability Posted: 06 Mar 2014 12:30 PM PST Project: Joomla! SubProject: CMS Severity: Moderate Versions: 3.1.2 through 3.2.2 Exploit type: XSS Vulnerability Reported Date: 2014-March-04 Fixed Date: 2014-March-06 CVE Number: Pending Description Inadequate escaping leads to XSS vulnerability in com_contact. Affected Installs Joomla! CMS versions 3.1.2 through 3.2.2 Solution Upgrade to version 3.2.3 Contact The JSST at the Joomla! Security Center. Reported By: ??

[20140303] - Core - XSS Vulnerability Posted: 06 Mar 2014 12:30 PM PST Project: Joomla! SubProject: CMS Severity: Moderate Versions: 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions Exploit type: XSS Vulnerability Reported Date: 2014-March-05 Fixed Date: 2014-March-06 CVE Number: Pending Description Inadequate escaping leads to XSS vulnerability. Affected Installs Joomla! CMS versions 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions Solution Upgrade to version 2.5.19 or 3.2.3 Contact The JSST at the Joomla! Security Center. Reported By: JSST

[20140304] - Core - Unauthorised Logins Posted: 06 Mar 2014 12:30 PM PST Project: Joomla! SubProject: CMS Severity: Moderate Versions: 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions Exploit type: Unauthorised Logins Reported Date: 2014-February-21 Fixed Date: 2014-March-06 CVE Number: Pending Description Inadequate checking allowed unauthorised logins via GMail authentication. Affected Installs Joomla! CMS versions 2.5.18 and earlier 2.5.x versions, 3.2.2 and earlier 3.x versions Solution Upgrade to version 2.5.19 or 3.2.3 Contact The JSST at the Joomla! Security Center. Reported By: Stefania Gaianigo

[20131103] Core XSS Vulnerability Posted: 06 Nov 2013 10:47 AM PST Project: Joomla! SubProject: All Severity: Moderate Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-October-26 Fixed Date: 2013-November-06 CVE Number: Description Inadequate filtering leads to XSS vulnerability in com_contact. Affected Installs Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions. Solution Upgrade to version 2.5.16, 3.1.6 or 3.2. Contact The JSST at the Joomla! Security Center. Reported By: Osanda Malith Jayathissa

[20131102] Core XSS Vulnerability Posted: 06 Nov 2013 10:47 AM PST Project: Joomla! SubProject: All Severity: Moderate Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-October-06 Fixed Date: 2013-November-06 CVE Number: Description Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds. Affected Installs Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions. Solution Upgrade to version 2.5.16, 3.1.6 or 3.2. Contact The JSST at the Joomla! Security Center. Reported By: Osanda Malith Jayathissa

[20131101] Core XSS Vulnerability Posted: 06 Nov 2013 10:47 AM PST Project: Joomla! SubProject: All Severity: High Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-October-25 Fixed Date: 2013-November-06 CVE Number: Description Inadequate filtering leads to XSS vulnerability in com_contact. Affected Installs Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions. Solution Upgrade to version 2.5.16, 3.1.6 or 3.2. Contact The JSST at the Joomla! Security Center. Reported By: Osanda Malith Jayathissa