=====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN208

_____________________________________________________________________

DATE                : 01/06/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Joomla versions prior to 4.3.2.

=====================================================================
https://developer.joomla.org/security-centre/899-20230501-core-open-redirects-and-xss-within-the-mfa-selection.html
https://developer.joomla.org/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html
_____________________________________________________________________


Security Announcements
[20230501] - Core - Open Redirects and XSS within the mfa selection

     Project: Joomla!
     SubProject: CMS
     Impact: Low
     Severity: Low
     Probability: Low
     Versions: 4.2.0-4.3.1
     Exploit type: Open Redirect / XSS
     Reported Date: 2023-02-28
     Fixed Date: 2023-05-28
     CVE Number: CVE-2023-23754

Description
Lack of input validation caused an open redirect and XSS issue
within the new mfa selection screen.


Affected Installs

Joomla! CMS versions 4.2.0-4.3.1


Solution

Upgrade to version 4.3.2


Contact

The JSST at the Joomla! Security Centre.
Reported By:  Srpopty from huntr.dev

_____________________________________________________________________


[20230502] - Core - Bruteforce prevention within the mfa screen

     Project: Joomla!
     SubProject: CMS
     Impact: Critical
     Severity: Moderate
     Probability: Low
     Versions: 4.2.0-4.3.1
     Exploit type: Lack of rate limiting
     Reported Date: 2023-04-29
     Fixed Date: 2023-05-30
     CVE Number: CVE-2023-23755


Description
The lack of rate limiting allows brute force attacks against MFA
methods.


Affected Installs

Joomla! CMS versions 4.2.0-4.3.1


Solution

Upgrade to version 4.3.2


Contact

The JSST at the Joomla! Security Centre.
Reported By:  Phil Taylor



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================