J3.x:Joomla 3.8.4 Notes about the Security Patches

From Joomla! Documentation

Revision as of 09:03, 30 January 2018 by FuzzyBot (talk | contribs) (Updating to match new version of source page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Deutsch • ‎English • ‎Nederlands • ‎français

In Joomla 3.8.4, the Joomla Security Strike Team (JSST) started to implement a series of XSS protection patches for the backend that could affect some use cases. All these issues have been found by internal audits done by the JSST.

Who is affected?

In Joomla 3.8.4, the JSST fixed 2 XSS issues counting in that category:

Versions affected

General Information

This pertains only to Joomla version(s): 3.8.4+

Module Chromes (CVE-2018-6380)

This patch is fixing a longstanding issue with the module Chrome where the module_tag parameter in the system and Protostar template lack escaping which could lead to a XSS attack. This issue is fixed in Joomla 3.8.4 but only for the core templates. Please contact your template provider so they can check the corresponding module Chromes.

com_fields (CVE-2018-6377)

This patch fixes a problem where you can enter a XSS code to the Text / Value options in com_fields plugins, like Checkbox, Radio and List. As a side effect of not allowing XSS anymore, the com_fields labels can't be anymore outputted as html.