The beginning of November brings us a brand-new update for the Joomla! 3.x series that addresses two new security vulnerabilities and improves the overall user experience by addressing 15 bug fixes. As of November 5th, you can download or update to the latest version, which is 3.9.4. All security vulnerabilities are considered low; however, it is still advisable to update your Joomla! installs as soon as possible to avoid any potential issues.

 What is new?

  • Between versions 3.2.0 – 3.9.12, the Joomla! core was susceptible to a Cross-site Request Forgery (CSRF) vulnerability inside of the com_templates override view. Cross-site Request Forgery is a vulnerability that allows an attacker to trick a valid user into performing an action they did not intend. The new version of Joomla! integrates a token check to circumvent the vulnerability.
  • Missing access checking in the mphputf8 mapping files made versions 3.6.0 – 3.9.12 vulnerable to possible path disclosure. Path disclosure makes it possible for an attacker to see the contents of your directories and can lead to other attacks.

Various other fixes include better support for PHP 7.4, more reverse proxy support, a fix for active category detection, message filtering, and improvements to sending mass mail.

Joomla! sites protected by SiteLock INFINITY will have these security patches applied automatically when their next automated scan runs. Download the latest version of Joomla! today to take advantage of the latest security updates.

If you would like to protect your Joomla! site with automated malware removal and core CMS vulnerability patching, contact SiteLock today and ask about INFINITY. We’re available 24/7 via phone, email, or live chat to help.