Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0125 Multiple vulnerabilities have been identified in Joomla! in versions prior to 3.7.4. 27 July 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-11612 CVE-2017-11364 Member content until: Saturday, August 26 2017 OVERVIEW Multiple vulnerabilities have been identified in Joomla! in versions prior to 3.7.4. [1] IMPACT The vendor has provided the following information: "Project: Joomla! SubProject: CMS Installer Severity: High Versions: 1.0.0 through 3.7.3 Exploit type: Lack of Ownership Verification Reported Date: 2017-Apr-06 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11364 The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control." [1] "Project: Joomla! SubProject: CMS Severity: Low Versions: 1.5.0 through 3.7.3 Exploit type: XSS Reported Date: 2017-April-26 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11612 Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components." [1] MITIGATION The vendor recommends updating to the latest version of Joomla! to correct these issues. REFERENCES [1] Security Announcements https://developer.joomla.org/security-centre.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWXlHRYx+lLeg9Ub1AQjXtg//dXzOfPSODE6DGImecx4uJWFtDTSeKj78 mc54c6RSNGSLGvLm4OVStj59U9M9kNlIXN4Q24VCM4ibjn9HtxYMcNHI32kiRJN6 D/pS7mmV1l3GVf39Ulzxcc1GA3UgecFHkGTEZzrQrYk6zDe6pA0td8Dey997bXNL oWKLPcePkOF44PlLKsAjXQyTbYXD1EUEd+2xHNyR1m+9B2kq5xXWSu+OwAk0WQl3 WmQ0uShqc0/6dScVH6zARRGbDDi3XBtF+swngb/3QZhUTs+YeWKM1jW6oW3/Lzs9 9t2DKgFPFyjSj6mxtnQSZa7Y5cRe+28IT987mcfTPPMIiYulwnWf70xEXlPcZGyR vD+bNBYwujxbfu2UGRPmfsYuPcrMaJoXTNOgkWFHH0aKC19Pk/TY2cypSFlSe3wI a1v6/CQ+/OvcUQoZ5nPDpYOBfEYQR3ApPRhFQF0B/zAIl0SBonOF3n35cxIwinfY DcUHGKXOhlmoqcylFLOnoRis8pDaElZQJ3nEUT3f18jfiX650OndyOlVR+GylEHv TNG5KLwWHAs9wI6EeWaQTcqYGE1pk29ALwtK0rOiFpO+xT4JtMf/uSB7yihErKaM 5R30Hu68xtbOGtLb/km0ymiGspYLFAb2aiYMPt6Kesl+hUbxwztVZz5+NxFXGIlR Vwlp2ZWXQTM= =sQsL -----END PGP SIGNATURE-----