On June 26, 2018 the newest Joomla! security update 3.8.9 was released. This version addresses two minor security vulnerabilities and several other bugs which caused errors in the application’s core.
The first of the security vulnerabilities is a local file inclusion (LFI) vulnerability in with PHP 5.3. Developers found that the Joomla! autoload feature checks classnames for validity. In PHP 5.3 this function, “class_exists”, allowed both valid and invalid names. This could result in attackers using this to pass malicious code to the site. The second vulnerability, also marked as low priority, is a reflective cross-site scripting (XSS) vulnerability in the language switcher module. Because some languages contain unescaped HTML special characters, attackers may have been able to use this to inject malicious content into the current page URL. In addition to these vulnerabilities, Joomla! security update 3.8.9 addresses seven other vulnerabilities including:
Along with the Joomla! security 3.8.9 update, a secondary, smaller version update 3.8.10 was also released the same day. This smaller update contained no security fixes, and addressed a bug that was introduced in Joomla! 3.8.9 for Windows platforms only.
Website owners utilizing SiteLock SMART PLUS will receive patches automatically to protect their websites from these vulnerabilities on their next daily scan. However, in order to take advantage of the full features and bug fixes, site owners must complete a version upgrade to version 3.8.9 or 3.8.10.
If you’d like your Joomla! application to be automatically patched during the next update, call SiteLock and ask about SMART PLUS. We are available 24/7 at 855.378.6200.