Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0059 SQL Injection vulnerability patched in Joomla! 15 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-8045 Member content until: Saturday, April 14 2018 OVERVIEW A vulnerability has been identified in Joomla! in versions 3.5.0 through 3.8.5. [1] IMPACT The vendor has provided the following information: "[20180301] - Core - SQLi vulnerability User Notes * Project: Joomla! * SubProject: CMS * Impact: High * Severity: Low * Versions: 3.5.0 through 3.8.5 * Exploit type: SQLi * Reported Date: 2018-March-08 * Fixed Date: 2018-March-12 * CVE Number: CVE-2018-8045 Description The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view." [1] MITIGATION The vendor recommends upgrading to version 3.8.6. [1] REFERENCES [1] Security Announcement https://developer.joomla.org/security-centre/723-20180301-core-sqli-vulnerability.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqoT5Ix+lLeg9Ub1AQiemhAAh6fcDQz5s12E7TuJeck7bPePVRInODbX sFJTZY50lWteAM1357SsAn9ideRpb+41TJOjk7yFCyQg+ZPuInKgv+D4Wyujs11S 03S6E//UW3VxIbGO02lVIy3i/K9r07/SUr3EJvnQNykYboBE6llY07ee5gAApJS+ AkznYUls5A7yDvzwi6gA6XjYxSFD8p1+8WgVimninsfehpchZBp6xBiDc2II6KpE pHYA8OPioTFJH/aWVh5XdODrD8bNPHa6VcgLhZgnzod8KONcEswQCaGEtnDwc6ha cYZb59T0ozQQ0N+B2WjTnSNCOUbxxCRJ/yFNTsx8rq+TPCTWFPIBh9SEg7C5HN92 GuhrEOOrs0VJDwRfUxSGNqHFLLJpilPKBouI9rsXanpLufnwnM7yUCxZ56exfIYm jacKEUm2J86rQPg1DFel3GSSvtk1Xb0gC++fbEPv5thERT3UuMbKMFumWuWAIfCn bGKmqFjEfziiyVS9Si9I/a9Q8jdo9tg+qKW4L/PzwcrOn46gI7n3RIaOpNAzgLPZ e59zXZUU95DRL4knap70/pO/vcsnlPBqLfi66ZyANwvy3s46cNoPQjVjghXY+p8n V4/kjVSA7WtUrS3cmXM9n4Czj5FlQVHXx51NYwoaZgJAIgv/IR3vXiX2e9tpiZOT xlvHJQW8or8= =kTVP -----END PGP SIGNATURE-----