===================================================================== CERT-Renater Note d'Information No. 2023/VULN040 _____________________________________________________________________ DATE : 01/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Joomla! versions 4 prior to 4.2.7. ===================================================================== https://developer.joomla.org/security-centre/890-20230101-core-csrf-within-post-installation-messages https://developer.joomla.org/security-centre/891-20230102-core-missing-acl-checks-for-com-actionlogs.html _____________________________________________________________________ [20230101] - Core - CSRF within post-installation messages Project: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 4.0.0-4.2.6 Exploit type: CSRF Reported Date: 2022-12-24 Fixed Date: 2023-01-31 CVE Number: CVE-2023-23750 Description A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6 Solution Upgrade to version 4.2.7 Contact The JSST at the Joomla! Security Centre. Reported By: Faizan Wani _____________________________________________________________________ Security Announcements [20230102] - Core - Missing ACL checks for com_actionlogs Project: Joomla! SubProject: CMS Impact: Low Severity: Low Probability: Low Versions: 4.0.0-4.2.6 Exploit type: Incorrect Access Control Reported Date: 2023-01-01 Fixed Date: 2023-01-31 CVE Number: CVE-2023-23751 Description A missing ACL check allows non super-admin users to access com_actionlogs. Affected Installs Joomla! CMS versions 4.0.0-4.2.6 Solution Upgrade to version 4.2.7 Contact The JSST at the Joomla! Security Centre. Reported By: Faizan Wani ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================