Joomla News

Joomla! Announcements

Joomla! Official News

16 February 2019

Joomla! - the dynamic portal engine and content management system
  • Joomla 3.9.3 Release

    Joomla 3.9.3 is now available. This is a security fix release for the 3.x series of Joomla which addresses 6 security vulnerabilities and contains 30 bug fixes and improvements.

  • Keeping your Joomla website up-to-date

    As of release 3.5 Joomla is collecting stats data, thanks to the stats plugin (only works if it’s enabled), and it found too many websites are not using the currently supported release of 3.9.2. This data is based on the Joomla, PHP, and database version. These are some pretty alarming statistics, and should not be ignored! We have provided some links at the bottom of this article for your reference, review, and to even get the latest release of Joomla.

  • Joomla 3.9.2 Release

    Joomla 3.9.2 is now available. This is a security release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains over 50 bug fixes and improvements.


Joomla! Wiki

Joomla! Documentation - Recent changes [en]

16 February 2019

Track the most recent changes to the wiki in this feed.

Joomla! Security

Security Announcements

16 February 2019

  • [20190206] - Core - Implement the TYPO3 PHAR stream wrapper
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: Object Injection
    • Reported Date: 2019-January-18
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7743

    Description

    The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:David Jardin (JSST)
  • [20190205] - Core - XSS Issue in core.js writeDynaList
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: XSS
    • Reported Date: 2018-October-07
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7740

    Description

    Inadequate parameter handling in JS code could lead to an XSS attack vector.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Dimitris Grammatikogiannis
  • [20190204] - Core - Stored XSS issue in the Global Configuration help url #2
    • Project: Joomla!
    • SubProject: CMS
    • Impact:Low
    • Severity: Low
    • Versions: 2.5.0 through 3.9.2
    • Exploit type: XSS
    • Reported Date: 2019-January-16
    • Fixed Date: 2019-February-12
    • CVE Number: CVE-2019-7741

    Description

    Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.

    Affected Installs

    Joomla! CMS versions 2.5.0 through 3.9.2

    Solution

    Upgrade to version 3.9.3

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By:Antonin Steinhauser
Follow expmedia1 on Twitter
Web Hosting
Joomla!