====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN219
_____________________________________________________________________

DATE                : 22/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Joomla! versions prior to 3.9.17.

=====================================================================
https://developer.joomla.org/security-centre/809-20200401-core-incorrect-access-control-in-com-users-access-level-editing-function.html
https://developer.joomla.org/security-centre/810-20200402-core-missing-checks-for-the-root-usergroup-in-usergroup-table.html
https://developer.joomla.org/security-centre/811-20200403-core-incorrect-access-control-in-com-users-access-level-deletion-function.html
_____________________________________________________________________


[20200401] - Core - Incorrect access control in com_users access level
editing function

    Project: Joomla!
    SubProject: CMS
    Impact: Low
    Severity: Low
    Versions: 3.8.8 - 3.9.16
    Exploit type: Incorrect Access Control
    Reported Date: 2020-March-13
    Fixed Date: 2020-April-21
    CVE Number: CVE-2020-11891


Description

Incorrect ACL checks in the access level section of com_users allow the
unauthorized editing of usergroups.


Affected Installs

Joomla! CMS versions 3.8.8 - 3.9.16


Solution

Upgrade to version 3.9.17


Contact

The JSST at the Joomla! Security Centre.
Reported By: Hoang Kien from VSEC

_____________________________________________________________________


[20200402] - Core - Missing checks for the root usergroup in usergroup table

    Project: Joomla!
    SubProject: CMS
    Impact: Moderate
    Severity: Low
    Versions: 2.5.0 - 3.9.16
    Exploit type: Incorrect Access Control
    Reported Date: 2020-February-27
    Fixed Date: 2020-April-21
    CVE Number: CVE-2020-11890


Description

Inproper input validations in the usergroup table class could lead to a
broken ACL configuration.


Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16


Solution

Upgrade to version 3.9.17


Contact

The JSST at the Joomla! Security Centre.
Reported By: Hoang Kien from VSEC

_____________________________________________________________________


[20200403] - Core - Incorrect access control in com_users access level
deletion function

    Project: Joomla!
    SubProject: CMS
    Impact: Moderate
    Severity: Low
    Versions: 2.5.0 - 3.9.16
    Exploit type: Incorrect Access Control
    Reported Date: 2020-March-13
    Fixed Date: 2020-April-21
    CVE Number: CVE-2020-11889


Description

Incorrect ACL checks in the access level section of com_users allow the
unauthorized deletion of usergroups.


Affected Installs

Joomla! CMS versions 2.5.0 - 3.9.16


Solution

Upgrade to version 3.9.17


Contact

The JSST at the Joomla! Security Centre.
Reported By: Hoang Kien from VSEC



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================