==================================================================== CERT-Renater Note d'Information No. 2017/VULN340 _____________________________________________________________________ DATE : 10/11/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Joomla! versions prior to 3.8.2. ===================================================================== http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/ZBmazG0EZeU/715-20171103-core-information-disclosure.html http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/KWysQZRrTWQ/713-20171102-core-2-factor-authentication-bypass.html http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/_Ud0fZdMIyg/714-20171101-core-ldap-information-disclosure.html _______________________________________________________________ [20171103] - Core - Information Disclosure Project: Joomla! SubProject: CMS Severity: Low Versions: 3.7.0 through 3.8.1 Exploit type: Information Disclosure Reported Date: 2017-May-17 Fixed Date: 2017-November-07 CVE Number: CVE-2017-16633 Description A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users. Affected Installs Joomla! CMS versions 3.7.0 through 3.8.1 Solution Upgrade to version 3.8.2 Contact The JSST at the Joomla! Security Centre. Reported By: Internal JSST audit _______________________________________________________________ [20171102] - Core - 2-factor-authentication bypass Project: Joomla! SubProject: CMS Severity: Medium Versions: 3.2.0 through 3.8.1 Exploit type: Reported Date: 2017-October-31 Fixed Date: 2017-November-07 CVE Number: CVE-2017-16634 Description A bug allowed third parties to bypass a user's 2-factor-authentication method. Affected Installs Joomla! CMS versions 3.2.0 through 3.8.1 Solution Upgrade to version 3.8.2 Contact The JSST at the Joomla! Security Centre. Reported By: Yarince _______________________________________________________________ [20171101] - Core - LDAP Information Disclosure Project: Joomla! SubProject: CMS Severity: Medium Versions: 1.5.0 through 3.8.1 Exploit type: Information Disclosure Reported Date: 2017-October-06 Fixed Date: 2017-November-07 CVE Number: CVE-2017-14596 Description Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password. Affected Installs Joomla! CMS versions 1.5.0 through 3.8.1 Solution Upgrade to version 3.8.2 Contact The JSST at the Joomla! Security Centre. Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================