Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0152.2 Security Announcements 22 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-14595 Member content until: Saturday, October 21 2017 Revision History: September 22 2017: Added missing page. September 21 2017: Initial Release OVERVIEW Multiple vulnerabilities have been identified in Joomla! in versions prior to 3.8.0. [1] IMPACT The vendor has provided the following information: "[20170901] - Core - Information Disclosure Project: Joomla! SubProject: CMS Severity: Low Versions: 3.7.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-August-4 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14595 Description A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. [20170902] - Core - LDAP Information Disclosure Project: Joomla! SubProject: CMS Severity: Medium Versions: 1.5.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-July-27 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14596 Description Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password." [1] MITIGATION The vendor recommends updating to the latest version of Joomla! to correct these issues. [1] REFERENCES [1] Security Announcements https://developer.joomla.org/security-centre/710-20170901-core-information-disclosure.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWcSSaIx+lLeg9Ub1AQhW4A//dHwUSBCin4cQSK4LzrkwJBOyKsALsQjd G7k/u+T7YmtAj9x+ma1AHL0YSZH4DFSAyX98FOZGt2bh8y+bKKC82KKrshkuOJGC lbRMqln/IOHVKJou7DGksCymVbZHrt9gZ4PNzxMxyOa0jiBA9a7sVyWarAC1FM9H EYOo53ZtM/Maff2xHxvan9C8h5WM63lte8EWD9sCu9mGKM8dCOeci09paDDZF16a QisElm2ybdDEsARCkt2CJ8YBuvfA4OIQ4ry3HNOH6nHjaK+zrS8XVy+8EI9smRXD akEU2nbeoFaIuSESLHOu/u6PsC4PY/sSdSK9wB/QaeevbVivOX2g266EniDdpAhn vRoUWusfvadyQC9SIQ/vENYrZcajszk9G83K5lpWdyL8V3IKhKcXtYkNo84wcCIP kpfqtnea8NSG6suTBaUEHzB740YzcpUd2rUm0w+cGisEUrkw9u7tGCAK1fRYH6wh hdCbpA4P3gMuM7sw27J7tSrphq2sLdSTMUre5Kb7t7Da2IbrlsnTUw1Uy0Rx3Ftt WGmck1P8PLm1YMilSs8PRtAtLveKHDqJ8Vxv4qPO+voeEyb3juJ8Iv5xxQlOeuHs ryM8LLaCXjH2zlcw+2OUOtN6+1hTEm4cy8ZTqzVhUabhmnZYA2rVd4Vmg9wIQQqI 1fT0JJYqlKI= =E876 -----END PGP SIGNATURE-----