Three security vulnarabilities in Joomla core are fixed with the release of version 3.9.21

joomla hosting

Joomla 3.9.21 is now available. This is a security release for the 3.x series of Joomla which addresses 3 security vulnerabilities and contains over 20 bug fixes and improvements.

What's in 3.9.21?

Joomla 3.9.21 includes 3 security vulnerability fixes and addresses several bugs, including:

Security Issues Fixed

  • Low Priority - Core - XSS in mod_latestactions (affecting Joomla! 3.9.0 through 3.9.20) More information »
  • Low Priority - Core - Open redirect in com_content vote feature (affecting Joomla! 3.0.0 through 3.9.20) More information »
  • Low Priority - Core - Directory traversal in com_media (affecting Joomla! 2.5.0 through 3.9.20) More information »

Bug fixes and Improvements

  • TinyMCE updated #30329
  • CodeMirror updated #30370
  • Upload Package File / Joomla Update : Upload file size check added #30190 #29895
  • Actions Log: Log an event when Joomla is updated #30157

Core - Open redirect in com_content vote feature

   Project: Joomla!
    SubProject: CMS
    Impact: Low
    Severity: Low
    Versions: 3.0.0-3.9.20
    Exploit type: Open Redirect
    Reported Date: 2020-July-05
    Fixed Date: 2020-August-25
    CVE Number: CVE-2020-24598

Description

Lack of input validation in com_content leads to an open redirect.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.20

Solution

Upgrade to version 3.9.21

Core - Directory traversal in com_media

    Project: Joomla!
    SubProject: CMS
    Impact: Low
    Severity: Low
    Versions: 2.5.0-3.9.20
    Exploit type: Directory Traversal
    Reported Date: 2020-February-02
    Fixed Date: 2020-August-25
    CVE Number: CVE-2020-24597

Description

Lack of input validation allows com_media root paths outside of the webroot.

Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.20

Solution

Upgrade to version 3.9.21

Core - XSS in mod_latestactions

  Project: Joomla!
    SubProject: CMS
    Impact: Moderate
    Severity: Low
    Versions: 3.9.0-3.9.20
    Exploit type: XSS
    Reported Date: 2020-August-21
    Fixed Date: 2020-August-25
    CVE Number: CVE-2020-24599

Description

Lack of escaping in mod_latestactions allows XSS attacks.

Affected Installs

Joomla! CMS versions 3.9.0 - 3.9.20

Solution

Upgrade to version 3.9.21

Alex Shaposhnik's picture
Alex Shaposhnik
Technical Support Specialist
I provide technical assistance to our customers with all kinds of technical, hardware or software problems by modifying, installing, cleaning and repairing server-side software and customers' web applications and communicating to them the detailed answers and troubleshooting steps performed.

We value your opinion. Please add your feedback.