#JUGL meetings are held on the 3rd Tuesday of each month

NEXT MEETING:

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 2.5.0 through 3.9.2
  • Exploit type: Object Injection
  • Reported Date: 2019-January-18
  • Fixed Date: 2019-February-12
  • CVE Number: CVE-2019-7743

Description

The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.9.2

Solution

Upgrade to version 3.9.3

Contact

The JSST at the Joomla! Security Centre.

David Jardin (JSST)

Read more

Launch a Full version of Joomla! for FREE (including hosting) Find out More