Joomla 3.8.4 Notes about the Security Patches
From Joomla! Documentation
In Joomla 3.8.4, the Joomla Security Strike Team (JSST) started to implement a series of XSS protection patches for the backend that could affect some use cases. All these issues have been found by internal audits done by the JSST.
Who is affected?[edit]
In Joomla 3.8.4, the JSST fixed 2 XSS issues counting in that category:
- [20180101] - Core - XSS vulnerability in module chromes
- [20180102] - Core - XSS vulnerability in com_fields
Versions affected[edit]
This pertains only to Joomla version(s): 3.8.4+
Module Chromes (CVE-2018-6380)[edit]
This patch is fixing a longstanding issue with the module Chrome where the module_tag parameter in the system and Protostar template lack escaping which could lead to a XSS attack. This issue is fixed in Joomla 3.8.4 but only for the core templates. Please contact your template provider so they can check the corresponding module Chromes.
com_fields (CVE-2018-6377)[edit]
This patch fixes a problem where you can enter a XSS code to the Text / Value options in com_fields plugins, like Checkbox, Radio and List. As a side effect of not allowing XSS anymore, the com_fields labels can't be anymore outputted as html.