Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0320 Joomla! Security Announcements 1 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Publisher: Joomla! Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-6380 CVE-2018-6379 CVE-2018-6377 CVE-2018-6376 Original Bulletin: https://developer.joomla.org/security-centre/722-20180104-core-sqli-vulnerability.html https://developer.joomla.org/security-centre/721-20180103-core-xss-vulnerability.html https://developer.joomla.org/security-centre/720-20180102-core-xss-vulnerability.html https://developer.joomla.org/security-centre/718-20180101-core-xss-vulnerability.html Comment: This bulletin contains four (4) Joomla! security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- [20180104] - Core - SQLi vulnerability in Hathor postinstall message Posted: 30 Jan 2018 06:45 AM PST Project: Joomla! SubProject: CMS Impact: High Severity: Low Versions: 3.7.0 through 3.8.3 Exploit type: SQLi Reported Date: 2017-November-17 Fixed Date: 2018-January-30 CVE Number: CVE-2018-6376 Description The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message. Affected Installs Joomla! CMS versions 3.7.0 through 3.8.3 Solution Upgrade to version 3.8.4 Contact The JSST at the Joomla! Security Centre. Reported By: Karim Ouerghemmi, ripstech.com [20180103] - Core - XSS vulnerability in Uri class Posted: 30 Jan 2018 06:45 AM PST Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.5.0 through 3.8.3 Exploit type: XSS Reported Date: 2017-November-17 Fixed Date: 2018-January-30 CVE Number: CVE-2018-6379 Description Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability. Affected Installs Joomla! CMS versions 1.5.0 through 3.8.3 Solution Upgrade to version 3.8.4 Contact The JSST at the Joomla! Security Centre. Reported By: Octavian Cinciu [20180102] - Core - XSS vulnerability in com_fields Posted: 30 Jan 2018 06:45 AM PST Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.7.0 through 3.8.3 Exploit type: XSS Reported Date: 2018-January-20 Fixed Date: 2018-January-30 CVE Number: CVE-2018-6377 Description Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox. Affected Installs Joomla! CMS versions 3.7.0 through 3.8.3 Solution Upgrade to version 3.8.4 Contact The JSST at the Joomla! Security Centre. Reported By: Benjamin Trenkle, JSST [20180101] - Core - XSS vulnerability in module chromes Posted: 30 Jan 2018 06:45 AM PST Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.0.0 through 3.8.3 Exploit type: XSS Reported Date: 2018-January-21 Fixed Date: 2018-January-30 CVE Number: CVE-2018-6380 Description Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system. Affected Installs Joomla! CMS versions 3.0.0 through 3.8.3 Solution Upgrade to version 3.8.4 Contact The JSST at the Joomla! Security Centre. Reported By:A David Jardin, JSST - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWnKSCIx+lLeg9Ub1AQg+6hAAmmW7VKegRDsK7L5aNbyzW++Gku8veJ22 naEZpznv67rlzbZqa7v7uM+hGsUYW9086qA5cH/X41XF6aDrmlHUAyP1a8jwxK37 RxkET7PWNBj1BmxZcJQjrUsIkd+kxr5NNwDuX6FdiarMpsgWQA5oY6h8wZ+BXRXs j0H69/yr5m7Vf1iNKaOtnaYFZOiShcXN1kaVdEVl2vwaVX9QMr+aNiCBgP5jX6DN eJat0ManmsnYzf25KKEX7u2smhgPwG+UqwjsL3WBxqMQ4+RXMxJyaKu7qVIaWNKV yUt2hVQE33Q4+lk2hTKRIFPy5GIuPc/Gf+t5HLs0KRdStdAs1hhSB+p0WHGpzqXt jhMQiYBKHI9D9J66vUE8CYlq82KDSmIvk0oE3cJ3vt0ElXKe5HdGEB8WOzRlZjuW zkqpoym2UQKo6SEbs12se0ACnfVOFuxayzCPA6OGtvkfATPmMf6bcE+KyXQHa0+R cD7JbN1ue4Qh+YEQjHKRbZBhqP3Ck0KykJwU9juz/OowFUggDEKWwlYL/NHfxq50 KiHCUekH5k6m5ZJn9QgnxbwLY4mrhSQCuWPjWCh+7ef8Evfku83GZ0t97puD1Ial X4v7IQuDwY3lANW8t0Jvh5Jlw8zfXmwKSvJqjdEDTtafhWXuWFyR9oATJW5l1Apo FCA15RAX9d4= =kga9 -----END PGP SIGNATURE-----