The sample data plugins lack ACL checks, allowing unauthorized access.
Tag: Joomla
ASA-2019-00135 – Joomla: Cross-Site Scripting (XSS) in media form field
The media form field lacks escaping, leading to a Cross-Site Scripting (XSS) vulnerability.
ASA-2019-00134 – Joomla: Cross-Site Scripting (XSS) in item_title layout
The item_title layout in edit views lacks escaping, leading to a Cross-Site Scripting XSS vulnerability.
ASA-2019-00133 – Joomla: Cross-Site Scripting (XSS) in com_config JSON handler
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
ASA-2019-00081 – Joomla: Implement the TYPO3 PHAR stream wrapper
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
ASA-2019-00080 – Joomla: XSS Issue in core.js writeDynaList
Inadequate parameter handling in JS code could lead to an XSS attack vector.
ASA-2019-00079 – Joomla: Stored XSS issue in the Global Configuration help url
Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.
ASA-2019-00078 – Joomla: Additional warning in the Global Configuration textfilter settings
"No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog.