The newest version of Joomla!, version 3.8.9, was released on June 26, 2018. This version addresses two minor security vulnerabilities and several other bugs which caused errors in the application’s core.
The first of the security vulnerabilities is a local file inclusion (LFI) vulnerability in with PHP 5.3. Developers found that the Joomla! autoload feature checks classnames for validity. In PHP 5.3 this function, “class_exists”, allowed both valid and invalid names. This could result in attackers using this to pass malicious code to the site. The second vulnerability, also marked as low priority, is a reflective cross-site scripting (XSS) vulnerability in the language switcher module. Because some languages contain unescaped HTML special characters, attackers may have been able to use this to inject malicious content into the current page URL. In addition to these vulnerabilities, version 3.8.9 addresses seven other vulnerabilities including:
- Correcting file folder browsing and file upload that broke in 3.8.8
- Tag indexing improvement
- Updates to third party PHP libraries
A secondary, smaller version update 3.8.10 was also released the same day. This smaller update contained no security fixes, and addressed a bug that was introduced in Joomla! 3.8.9 for Windows platforms only.
Website owners utilizing SiteLock SMART PLUS will receive patches automatically to protect their websites from these vulnerabilities on their next daily scan. However, in order to take advantage of the full features and bug fixes, site owners must complete a version upgrade to version 3.8.9 or 3.8.10.
If you’d like your Joomla! application to be automatically patched during the next update, call SiteLock and ask about SMART PLUS. We are available 24/7 at 855.378.6200.