• Avviso sicurezza: [20170501] - Core - SQL Injection
    • Project: Joomla!
    • SubProject: CMS
    • Severity: High
    • Versions: 3.7.0
    • Exploit type: SQL Injection
    • Reported Date: 2017-May-11
    • Fixed Date: 2017-May-17
    • CVE Number: CVE-2017-8917

    Description

    Inadequate filtering of request data leads to a SQL Injection vulnerability.

    Affected Installs

    Joomla! CMS versions 3.7.0

    Solution

    Upgrade to version 3.7.1

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Marc-Alexandre Montpas / sucuri.net

  • Avviso sicurezza: [20170408] - Core - Information Disclosure
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 3.4.0 through 3.6.5
    • Exploit type: Information Disclosure
    • Reported Date: 2016-Feb-06
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-8057

    Description

    Multiple files caused full path disclosures on systems with enabled error reporting.

    Affected Installs

    Joomla! CMS versions 3.4.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Sim of tencent security

  • Avviso sicurezza: [20170407] - Core - ACL Violations
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 3.2.0 through 3.6.5
    • Exploit type: ACL Violation
    • Reported Date: 2017-March-01
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7989

    Description

    Inadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Abdullah Hussam

  • Avviso sicurezza: [20170406] - Core - ACL Violations
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 1.6.0 through 3.6.5
    • Exploit type: ACL Violation
    • Reported Date: 2016-April-29
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7988

    Description

    Inadequate filtering of form contents lead allow to overwrite the author of an article.

    Affected Installs

    Joomla! CMS versions 1.6.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: T-Systems Multimedia Solutions

  • Avviso sicurezza: [20170405] - Core - XSS Vulnerability
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 3.2.0 through 3.6.5
    • Exploit type: XSS
    • Reported Date: 2016-February-28
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7987

    Description

    Inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: David Jardin

  • Avviso sicurezza: [20170404] - Core - XSS Vulnerability
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 1.5.0 through 3.6.5
    • Exploit type: XSS
    • Reported Date: 2017-February-22
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7986

    Description

    Inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 1.5.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Fortinet's FortiGuard Labs

  • Avviso sicurezza: [20170403] - Core - XSS Vulnerability
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 1.5.0 through 3.6.5
    • Exploit type: XSS
    • Reported Date: 2017-March-21
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7985

    Description

    Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.

    Affected Installs

    Joomla! CMS versions 1.5.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Fortinet's FortiGuard Labs

  • Avviso sicurezza: [20170402] - Core - XSS Vulnerability
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 3.2.0 through 3.6.5
    • Exploit type: XSS
    • Reported Date: 2016-December-23
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7984

    Description

    Inadequate filtering leads to XSS in the template manager component.

    Affected Installs

    Joomla! CMS versions 3.2.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Chen Ruiqi, Codesafe team

  • Avviso sicurezza: [20170401] - Core - Information Disclosure
    • Project: Joomla!
    • SubProject: CMS
    • Severity: Low
    • Versions: 1.5.0 through 3.6.5
    • Exploit type: Information Disclosure
    • Reported Date: 2017-Jan-02
    • Fixed Date: 2017-April-25
    • CVE Number: CVE-2017-7983

    Description

    Mail sent using the JMail API leaked the used PHPMailer version in the mail headers.

    Affected Installs

    Joomla! CMS versions 1.5.0 through 3.6.5

    Solution

    Upgrade to version 3.7.0

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Conor McKnight

  • Avviso sicurezza: [20161205] - PHPMailer Security Advisory
    • Project: Joomla!
    • Severity: High
    • Versions: 1.5.0 through 3.6.5
    • Exploit type: Remote Code Execution in third-party PHPMailer library
    • CVE Numbers: CVE-2016-10033 and CVE-2016-10045
    Note: This advisory was revised to reflect the addition of CVE-2016-10045 and the PHPMailer 5.2.20 release

    Description

    All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.20 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment. As well, the vulnerability requires being able to pass user input to a message's "from" address; all places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.

    Generally, the Joomla project does not issue advisories regarding third party libraries, however given the severity of this issue we felt it important to advise our users that we are aware of this issue and we have determined that the additional validations in our API prevent triggering this vulnerability.

    Affected Installs

    Joomla! CMS versions 1.5.0 through 3.6.5

    Solution

    No action required for Joomla users, the updated library will be included in the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability. Users of the PHPMailer library separate from Joomla are advised to upgrade to 5.2.20 or newer ASAP.

    Additional Resources

    Contact

    The JSST at the Joomla! Security Centre.

    Reported By: Dawid Golunski

Informazioni

Benvenuto nel tuo Pannello Admin.

Da queste pagine puoi facilmente accedere alle varie sezioni di amministrazione del tuo dominio e della tua Posta Elettronica.

Dal top menu scegli se accedere alla sezione PLESK o alla Web Mail e poi clicca sulle immagini per aprire la pagina desiderata.

Puoi anche accedere alla pagina di monitoraggio server, così da visualizzare i grafici sullo stato del server dove si trova residente il tuo dominio, oppure nella pagina di informazioni sulla configurazione PHP del tuo dominio..

Nella pagina "Notizie" troverai una selezione di link ad articoli riguardanti CSM, Internet e Software; nella sezione "Sicurezza" saranno visualizzati link ad articoli sulle vulnerabiltà scoperte nei principali CMS (Joomla, Wordpress, Drupal, PhpBB, ecc.).