The sample data plugins lack ACL checks, allowing unauthorized access.
Tag: Joomla
ASA-2019-00135 – Joomla: Cross-Site Scripting (XSS) in media form field
The media form field lacks escaping, leading to a Cross-Site Scripting (XSS) vulnerability.
ASA-2019-00134 – Joomla: Cross-Site Scripting (XSS) in item_title layout
The item_title layout in edit views lacks escaping, leading to a Cross-Site Scripting XSS vulnerability.
ASA-2019-00133 – Joomla: Cross-Site Scripting (XSS) in com_config JSON handler
The JSON handler in com_config lacks input validation, leading to XSS vulnerability.
ASA-2019-00081 – Joomla: Implement the TYPO3 PHAR stream wrapper
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.