Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1418 Security Announcements in Joomla! core 23 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Core Publisher: Joomla! Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-11891 CVE-2020-11890 CVE-2020-11889 Original Bulletin: https://developer.joomla.org/security-centre/809-20200401-core-incorrect-access -control-in-com-users-access-level-editing-function.html https://developer.joomla.org/security-centre/810-20200402-core-missing-checks-for -the-root-usergroup-in-usergroup-table.html https://developer.joomla.org/security-centre/811-20200403-core-incorrect-access -control-in-com-users-access-level-deletion-function.html Comment: This bulletin contains three (3) Joomla! security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- [20200401] - Core - Incorrect access control in com_users access level editing function o Project: Joomla! o SubProject: CMS o Impact: Low o Severity: Low o Versions: 3.8.8 - 3.9.16 o Exploit type: Incorrect Access Control o Reported Date: 2020-March-13 o Fixed Date: 2020-April-21 o CVE Number: CVE-2020-11891 Description Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups. Affected Installs Joomla! CMS versions 3.8.8 - 3.9.16 Solution Upgrade to version 3.9.17 Contact The JSST at the Joomla! Security Centre. Reported By: Hoang Kien from VSEC - -------------------------------------------------------------------------------- [20200402] - Core - Missing checks for the root usergroup in usergroup table o Project: Joomla! o SubProject: CMS o Impact: Moderate o Severity: Low o Versions: 2.5.0 - 3.9.16 o Exploit type: Incorrect Access Control o Reported Date: 2020-February-27 o Fixed Date: 2020-April-21 o CVE Number: CVE-2020-11890 Description Inproper input validations in the usergroup table class could lead to a broken ACL configuration. Affected Installs Joomla! CMS versions 2.5.0 - 3.9.16 Solution Upgrade to version 3.9.17 Contact The JSST at the Joomla! Security Centre. Reported By: Hoang Kien from VSEC - -------------------------------------------------------------------------------- [20200403] - Core - Incorrect access control in com_users access level deletion function o Project: Joomla! o SubProject: CMS o Impact: Moderate o Severity: Low o Versions: 2.5.0 - 3.9.16 o Exploit type: Incorrect Access Control o Reported Date: 2020-March-13 o Fixed Date: 2020-April-21 o CVE Number: CVE-2020-11889 Description Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups. Affected Installs Joomla! CMS versions 2.5.0 - 3.9.16 Solution Upgrade to version 3.9.17 Contact The JSST at the Joomla! Security Centre. Reported By: Hoang Kien from VSEC - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXqE5RWaOgq3Tt24GAQiJTQ//XhsyGkvbeyJ0rNday3beG0NM2XtkOs/r EeLtQxeu6ARsHW32gp0jIGmlUaoEmXyBTMHLBaWRV211X8S66RSN/Qf3WTc2h3b4 mgRifQ2AhFYgVlO4NEb4zRj7zrQEzHF8lVuVieXTZqBJqZb54xW56RJ0AvVnYtDz doXdtdTAxxuFldjug7+rI00gRhu7yMtcFTRRB5xuQkZIslG26Q7NTFn0MAmsQ/7X WJZutyE7IxFPlQF2WoIvzZHRdZ+CcowsZaHCpOChVTqLbOFE8iiTQB9k9NJurPGm /Ez1QNgwSAgQFdJVoe8lSpg/5PjC32OfM86gmWvw7Fu/gGl6hQPWMb8l+a6McBB0 PxepfRjAYcQqBgCPQN1d2mL5xOp7N4Q1GFnhHVnY5ELYaTezzi9+Gssz1765BHuI YYhcw1n6YULjzZQ5S3nAewvmjm8U0yMGwsBSXtXAcU3tdmAwJ8bsupmq6E5ibx7Z /hMf8pI6QAP/tJw5y6k7ERoOJZJpNOsGJ2Px7iFhMIWnzNtUpjtFgwb8jLRM7yxL yC6mVFVkzI4GQq1cJGlG8npcIH9M2h6GscN3wdScDO9LOhwN6Z6e5BI/xnqqFulB lpxaoCpk95qfgyqn9lS+CWmhXdjdIS5Y0hvCiUrOv0CWrLboImQCOAXMjIwNQU3a MpRHgpnEwsc= =n45+ -----END PGP SIGNATURE-----