There is an incomplete check that is done on the $_JEXEC variable. So, it is possible that an XSS (Cross-Site-Scripting) issue occurs. It is recommended to upgrade the application to Joomla! 4.2.1 or higher. You can also upgrade the application to Joomla! 5.0.0 by following the steps discussed in the Joomla Upgrade Guide. Another issue was found in Joomla! 3.10.0 where the password reset email was not sent to the email specified in the user profile. So, it is recommended to upgrade the application to Joomla! 3.11.0 or higher.
Joomla! 3.9.0
Upgrade Requirements
Joomla! 3.9.0 is a major release of the Joomla! CMS, and as such requires upgrades for all components.
The following components are affected:
- Core - versions 1.7 and 1.8
- Component - versions 3.0 and 3.1
- Extensions - versions 3.2, 3.3, 3.4, 3.5, 4.0, 5.0
Joomla! 3.10.0
- The Missing Password Reset Email
Joomla! 3.10.0 is vulnerable to an issue where the password reset email was not sent to the email specified in the user profile. This means that a potential hacker could gain access to the account by following these steps:
1) Add a new user with your email address specified as their username
2) Change their password as you would in any other case
3) Receive an email from Joomla! informing you that you have been locked out of your account
Joomla! 3.9.0 3.9.0 is the latest stable release for Joomla! 3.9.0, and it comes with a number of security issues that need to be fixed. The most important one is an incomplete check on the $_JEXEC variable which could lead to XSS (Cross-Site-Scripting) vulnerabilities. As always, upgrading for the latest release is highly recommended. A similar issue was fixed in Joomla! 3.10.0 where the password reset email was not sent to the email specified in the user profile which might allow attackers to steal credentials by intercepting the mail
Install the latest Joomla !
For Joomla! 3.11.0 or higher, it is recommended to install the latest version of Joomla!.
Timeline
Published on: 08/31/2022 10:15:00 UTC
Last modified on: 09/05/2022 03:20:00 UTC