Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0094
Joomla! 3.7.3 is now available. This is a security release
for the 3.x series of Joomla!
7 July 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Joomla
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Confidential Data -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-9933 CVE-2017-9934 CVE-2017-7985
Member content until: Sunday, August 6 2017
OVERVIEW
A security release for the 3.x series of Joomla! that fixes security
vulnerabilities affecting versions prior and including 3.7.2. [1]
IMPACT
The vendor has provided the following information:
"CVE-2017-9933 [20170701] - Core - Information Disclosure
Affected Installs: Joomla! CMS versions 1.7.3-3.7.2" [2]
"CVE-2017-9934 [20170702] - Core - XSS Vulnerability
Affected Installs: Joomla! CMS versions 1.7.3-3.7.2" [3]
"CVE-2017-7985 [20170703] - Core - XSS Vulnerability
Affected Installs: Joomla! CMS versions 1.5.0-3.7.2" [4]
MITIGATION
The vendor recommends updating to the latest version of Joomla! to
correct these issues. [1]
"Upgrade to version 3.7.3" [2][3][4]
REFERENCES
[1] Joomla! 3.7.3 Release
https://www.joomla.org/announcements/release-news/5709-joomla-3-7-3-release.html
[2] [20170701] - Core - Information Disclosure
https://developer.joomla.org/security-centre/696-20170601-core-information-disclosure
[3] [20170702] - Core - XSS Vulnerability
https://developer.joomla.org/security-centre/697-20170602-core-xss-vulnerability
[4] [20170703] - Core - XSS Vulnerability
https://developer.joomla.org/security-centre/698-20170603-core-xss-vulnerability.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWV8TkIx+lLeg9Ub1AQgGag//TjUNuqNqPx08oi1LR+Jl5S6zo1h5skfX
a82bcAJOmI+kZGADyR4R/bkgVZf+V33r6ez9WKLjKfJsCZFaU4eifUAYvGiMlEN7
brS/oO/lZtSS3EgVKGIS6jfhSiUboF3e88ScFPQiww6altEzjRdh3Aiz31t+qphY
8DxHMlQ8/UxCe9pYpDvFH3JbeTd76ANwrFXJUQY5IfhIgoI6qRHqbgyVKu4stCru
cjIqkG9cL8/zgyYmD0UR4Hf50FmeTUNO7lUz06IZIHagv+ihuRQNWjCUZM31HGlG
98+GYPreU46nGiRYPwKsqU6gj/ICM5Jzx1ZivNw3w34/baTsUjjWS0T3/SEH820R
QQipaeV1Mlzxiq6Cmp7vEp2JleyR5azha6GAk0csVLYwClGgtpneX3GOEJkiLx3Z
O13vMPngGaPkwUeSxjYyv2cmOMdp0/yy/r3oOVjr5FoJJcgkTbVtp69XI1EU7z5e
u1cPFIekv0fvGkn0yZtjA4Ek8lZgttk/SHrykc4IOtWCXt8O3ck7+JH2pRJZVXhP
EHtzXWaxmH4PVx9Vz76Snk54HaSQuP6wCzMXEULqWVmUwN4lwwDQTWnafLHpX1IY
vKaIQB3QG3F5FjVpeZHrwFOgUbI9uGP8bl5/yxmHB8fufdtxw0G/bHemVUirepK/
XS09Thl+avc=
=YWxU
-----END PGP SIGNATURE-----