====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN641
_____________________________________________________________________

DATE                : 25/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Joomla versions prior to 3.9.23.

=====================================================================
https://www.joomla.org/announcements/release-news/5828-joomla-3-9-23.html
_____________________________________________________________________

Joomla 3.9.23 is now available. This is a security release for the 3.x
series of Joomla which addresses 7 security vulnerabilities and contains
more than 35 bug fixes and improvements.


What's in 3.9.23?

Joomla 3.9.23 includes 7 security vulnerability fixes and addresses
several bugs, including:


Security Issues Fixed

    [20201101] Low Priority - High Impact - com_finder ignores access
levels on autosuggest (affecting Joomla! 2.5.0 through 3.9.22) More
information »

    [20201102] Low Priority - Moderate Impact - Disclosure of secrets in
Global Configuration page (affecting Joomla! 2.5.0 through 3.9.22) More
information »

    [20201103] Low Priority - Moderate Impact - Path traversal in
mod_random_image (affecting Joomla! 2.5.0 through 3.9.22) More
information »

    [20201104] Low Priority - High Impact - SQL injection in com_users
list view (affecting Joomla! 3.0.0 through 3.9.22) More information »

    [20201105] Low Priority - Low Impact - User Enumeration in backend
login (affecting Joomla! 3.9.0 through 3.9.22) More information »

    [20201106] Low Priority - Low Impact - CSRF in com_privacy
emailexport feature (affecting Joomla! 3.9.0 through 3.9.22) More
information »

    [20201107] Low Priority - High Impact - Write ACL violation in
multiple core views (affecting Joomla! 1.7.0 through 3.9.22) More
information »


Bug fixes and Improvements

In order to get Joomla ready for PHP 8 (to be released on November 26th,
2020), Joomla 3.9.23 includes fixes to ensure PHP 8 compatibility (see
#31246, #30608, #30582, #29353, #30922, #31444, #31434, #31442, #31445).

    TinyMCE updated #30329
    Fix for frontend module editing permissions #30778
    Fix for the lost of transparency when cropping/resizing images
     #30977
    Validation rule added for the redirect header field #31016


Visit GitHub for the full list of bug fixes.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================