-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1961
                  Security Announcements in Joomla! core
                                4 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Joomla! Core
Publisher:         Joomla!
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
                   Reduced Security           -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13763 CVE-2020-13762 CVE-2020-13761
                   CVE-2020-13760 CVE-2020-11023 CVE-2020-11022

Reference:         ESB-2020.1804

Original Bulletin: 
   https://developer.joomla.org/security-centre/817-20200605-core-csrf-in-com-postinstall.html
   https://developer.joomla.org/security-centre/816-20200604-core-xss-in-jquery-htmlprefilter.html
   https://developer.joomla.org/security-centre/815-20200603-core-xss-in-com-modules-tag-options.html
   https://developer.joomla.org/security-centre/814-20200602-core-inconsistent-default-textfilter-settings.html
   https://developer.joomla.org/security-centre/813-20200601-core-xss-in-modules-heading-tag-option.html

Comment: This bulletin contains five (5) Joomla! security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

[20200605] - Core - CSRF in com_postinstall

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 3.7.0-3.9.18
Exploit type: XSS
Reported Date: 2020-May-08
Fixed Date: 2020-June-02
CVE Number: CVE-2020-13760

Description

Missing token checks in com_postinstall cause CSRF vulnerabilities.
Affected Installs

Joomla! CMS versions 3.7.0 - 3.9.18
Solution

Upgrade to version 3.9.19
Contact

The JSST at the Joomla! Security Centre.
Reported By:  Khoa Bui Duc Anh

- --------------------------------------------------------------------------------

[20200604] - Core - XSS in jQuery.htmlPrefilter


Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Moderate
Versions: 3.0.0-3.9.18
Exploit type: XSS
Reported Date: 2020-April-10
Fixed Date: 2020-June-02
CVE Number: CVE-2020-11022 and CVE-2020-11023

Description

The jQuery project released version 3.5.0, and as part of that, disclosed  
two security vulnerabilities that affect all prior versions. As mentioned  
in the jQuery blog, both are "[...] security issues in jQuerys DOM  
manipulation methods, as in .html(), .append(), and the others."

The Drupal project has backported the relevant fixes back to jQuery 1.x and  
Joomla has adopted that patch.
Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18
Solution

Upgrade to version 3.9.19
Contact

The JSST at the Joomla! Security Centre.
Reported By: David Jardin, JSST

- --------------------------------------------------------------------------------

[20200603] - Core - XSS in com_modules tag options

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 3.0.0-3.9.18
Exploit type: XSS
Reported Date: 2020-May-06
Fixed Date: 2020-June-02
CVE Number: CVE-2020-13762

Description

Incorrect input validation of the module tag option in com_modules allow  
XSS attacks.
Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18
Solution

Upgrade to version 3.9.19
Contact

The JSST at the Joomla! Security Centre.
Reported By:  Khoa Bui Duc Anh

- --------------------------------------------------------------------------------
[20200602] - Core - Inconsistent default textfilter settings

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 2.5.0-3.9.18
Exploit type: Insecure Permissions
Reported Date: 2020-April-23
Fixed Date: 2020-June-02
CVE Number: CVE-2020-13763

Description

The default settings of the global "textfilter" configuration doesn't block  
HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new  
installations has been set to 'No HTML' for the groups 'Public', 'Guest'  
and 'Registered'.
Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.18
Solution

Upgrade to version 3.9.19
Contact

The JSST at the Joomla! Security Centre.
Reported By:  Brian Teeman

- --------------------------------------------------------------------------------

[20200601] - Core - XSS in modules heading tag option

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 3.0.0-3.9.18
Exploit type: XSS
Reported Date: 2020-May-06
Fixed Date: 2020-June-02
CVE Number: CVE-2020-13761

Description

Lack of input validation in the heading tag option of the "Articles  
Newsflash" and "Articles - Categories" modules allow XSS attacks.
Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.18
Solution

Upgrade to version 3.9.19
Contact

The JSST at the Joomla! Security Centre.
Reported By:  Khoa Bui Duc Anh

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXtiSn+NLKJtyKPYoAQjjOQ//RbCSWjmTdKr6ovRPpGPSCgMDK6Bj6er5
SPD68u1ETflxf03kssLX7xkxj5V88ySlCEkfMBxdfaYNV7ZHrgsh+PIs6HH91hWk
/LfQrEYY5g4aSCPMCg5QpKn1nli8rgMw2HSwXwUCBJfh3muZdKomfSHCkJc9QNAH
QCWT9CltEgKNx2/PKrxgDJTBu/YSQa7ueK1aoXJesRNpyGbPgoQWOv9F167fTpwN
lznMTo04ewuA0fjX0lZNaJFwzArwaTpRVNTVk6F9bSYcSqUct1RDqanYveNkhxEb
en6/NceYlYt++/O+RHDkV2X7q8ctjEN83yxLMhJ9DkhAJASbZpfVramAX5acKI7k
SBNL/DQiPL/mpIlAXOX6NKhwJWu3UdhR2Xmr3f9A/vIJ42AHzICLtqN+BzTR3aEd
j8yU0uE2dUxNmZRtfJP9WrBuM6ESfnSuoWZrvfUK/Q0pjqfQbckzKMD/0rFzJ0Uc
3KhARyFmG86tt7xkuBJt/zYwkNMNP9txaXiROo21wL6p10PmPeTwlzBKhx+YRKCn
tEFrpHWlGfLGFhEA0qxmvPEHWhEOpscci2QyPX/haAmmmqHE1sbRAxQuyCqznDcB
fJfa2RB4aUr+4JuhZoX8EGyMi5s5pD7KUC2JGxXnYZOh1wdZIjbX/bSWcNbNba9R
XL+h1ncUiDI=
=sCGL
-----END PGP SIGNATURE-----