Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN013

_____________________________________________________________________

DATE                : 17/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Joomla! CMS versions prior to
                             3.10.20-elts, 4.4.10, 5.2.3.

=====================================================================
https://developer.joomla.org/security-centre/954-20250101-core-xss-vectors-in-module-chromes.html
https://developer.joomla.org/security-centre/955-20250102-core-xss-vector-in-the-id-attribute-of-menu-lists.html
https://developer.joomla.org/security-centre/956-20250103-core-read-acl-violation-in-multiple-core-views.html
_____________________________________________________________________

Security Announcements
[20250101] - Core - XSS vectors in module chromes

    Project: Joomla!
    SubProject: CMS
    Impact: Low
    Severity: Moderate
    Probability: Low
    Versions: 4.0.0-4.4.9, 5.0.0-5.2.2
    Exploit type: XSS
    Reported Date: 2024-08-29
    Fixed Date: 2025-01-07
    CVE Number: CVE-2024-40747

Description
Various module chromes didn't properly process inputs, leading to XSS
vectors.


Affected Installs

Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2


Solution

Upgrade to version 4.4.10 or 5.2.3


Contact

The JSST at the Joomla! Security Centre.


Reported By:  Catalin Iovita

_____________________________________________________________________


Security Announcements
[20250102] - Core - XSS vector in the id attribute of menu lists

    Project: Joomla!
    SubProject: CMS
    Impact: Low
    Severity: Moderate
    Probability: Low
    Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
    Exploit type: XSS
    Reported Date: 2024-09-19
    Fixed Date: 2025-01-07
    CVE Number: CVE-2024-40748

Description
Lack of output escaping in the id attribute of menu lists.


Affected Installs

Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2


Solution

Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3


Contact

The JSST at the Joomla! Security Centre.


Reported By:  Lokesh Dachepalli

_____________________________________________________________________


Security Announcements
[20250103] - Core - Read ACL violation in multiple core views

    Project: Joomla!
    SubProject: CMS
    Impact: Low
    Severity: Moderate
    Probability: Low
    Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
    Exploit type: ACL Violation
    Reported Date: 2024-08-26
    Fixed Date: 2025-01-07
    CVE Number: CVE-2024-40749

Description
Improper Access Controls allows access to protected views.


Affected Installs

Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2


Solution

Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3


Contact

The JSST at the Joomla! Security Centre.


Reported By:  Dominik Ziegelmüller


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================