Joomla 3.8.4 Notes about the Security Patches

From Joomla! Documentation

Other languages:
Deutsch • ‎English • ‎Nederlands • ‎français

In Joomla 3.8.4, the Joomla Security Strike Team (JSST) started to implement a series of XSS protection patches for the backend that could affect some use cases. All these issues have been found by internal audits done by the JSST.

Who is affected?[edit]

In Joomla 3.8.4, the JSST fixed 2 XSS issues counting in that category:

Versions affected[edit]

General Information

This pertains only to Joomla version(s): 3.8.4+

Module Chromes (CVE-2018-6380)[edit]

This patch is fixing a longstanding issue with the module Chrome where the module_tag parameter in the system and Protostar template lack escaping which could lead to a XSS attack. This issue is fixed in Joomla 3.8.4 but only for the core templates. Please contact your template provider so they can check the corresponding module Chromes.

com_fields (CVE-2018-6377)[edit]

This patch fixes a problem where you can enter a XSS code to the Text / Value options in com_fields plugins, like Checkbox, Radio and List. As a side effect of not allowing XSS anymore, the com_fields labels can't be anymore outputted as html.