==================================================================== CERT-Renater Note d'Information No. 2021/VULN212 _____________________________________________________________________ DATE : 14/04/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Joomla! CMS versions prior to 3.9.26. ===================================================================== https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html _____________________________________________________________________ [20210401] - Core - Escape xss in logo parameter error pages Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 3.0.0 - 3.9.25 Exploit type: XSS Reported Date: 2021-03-09 Fixed Date: 2021-04-13 CVE Number: CVE-2021-26030 Description Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages. Affected Installs Joomla! CMS versions 3.0.0 - 3.9.25 Solution Upgrade to version 3.9.26 Contact The JSST at the Joomla! Security Centre. Reported By: HOANG NGUYEN _____________________________________________________________________ [20210402] - Core - Inadequate filters on module layout settings Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 3.0.0 - 3.9.25 Exploit type: LFI Reported Date: 2021-01-03 Fixed Date: 2021-04-13 CVE Number: CVE-2021-26031 Description Inadequate filters on module layout settings could lead to an LFI. Affected Installs Joomla! CMS versions 3.0.0 - 3.9.25 Solution Upgrade to version 3.9.26 Contact The JSST at the Joomla! Security Centre. Reported By: Lee Thao from Viettel Cyber Security ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================