Ike.ninja

• Project: Joomla!
• SubProject: All
• Severity: Moderate
• Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
• Exploit type: XSS Vulnerability
• Reported Date: 2013-October-26
• Fixed Date: 2013-November-06
• CVE Number:

Description

Inadequate filtering leads to XSS vulnerability in com_contact.

Affected Installs

Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.

Solution

Upgrade to version 2.5.16, 3.1.6 or 3.2.

Contact

The JSST at the Joomla! Security Center.

The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.16.  2.5.16 addresses three critical issues reported after the release of 2.5.15 earlier today.  Aside from the links to the download packages, the text of the rest of this article is the same as that of today’s 2.5.15 release.

For users on 2.5.15 who are unable to update to 2.5.16 via the core update component, please download the patch package from http://joomlacode.org/gf/download/frsrelease/18859/91475/Joomla_2.5.15_to_2.5.16-Stable-Patch_Package.zip and install it via your Extension Manager to update.

This is a security release addressing three security issues. The Production Leadership Team’s goal is to continue to provide regular, frequent updates to the Joomla community. Learn more about Joomla! development at the Developer Site.

The update process is very simple, and complete instructions are available here. Note that there are now easier and better ways of updating than copying the files with FTP.

Download

New Installations: Click here to download Joomla 2.5.16 (Full package) »

Update Package: Click here to download Joomla 2.5.16 (Update package) »

Note: Please read the update instructions before updating.

Instructions

• New installation and technical requirements
  
• Update instructions*
• Migration from Joomla! 1.5.x

*Please clear your browser’s cache after ugprading

Want to test drive Joomla? Try the online demo or the Joomla JumpBox. Documentation is available for beginners.

Release Notes

Check the Joomla 2.5.15 Post-Release FAQs to see if there are important items and helpful hints discovered after the release.

Statistics for the 2.5.15 release period

• Joomla 2.5.15 contains 3 security issues and 32 tracker issues fixed

See http://developer.joomla.org/version-2-5-15-release-notes.html for details of the tracker items fixed.

Security Issues Fixed

• High Priority – Core XSS Vulnerability More information »
• Medium Priority – Core XSS Vulnerability More information »
• Medium Priority – Core XSS Vulnerability More information »

Joomla! Bug Squad

Thanks to the Joomla Bug Squad for their dedicated efforts investigating reports, fixing problems, and applying patches to Joomla. If you find a bug in Joomla, please report it on the Joomla! CMS Issue Tracker.

Active members of the Joomla Bug Squad during past 3 months include: Achal Aggarwal, Adelene Teh, Aleksander Linkov, Angelika Reisiger, Anibal Sanchez, Anja Hage, Artur Alves, Ashan Fernando, Beat , Brian Teeman, Chad Windnagle, Constantin Romankiewicz, Daniel Kanchev, David Hurley, Dennis Hermacki, Dimitar Genchev, Duong Nguyen, Edwin Cheront, Elin Waring, George Wilson, Gunjan Patel, Hans Kuijpers, Hervé Boinnard, Hugh Messenger, Janich Rasmussen, Jason Rey, Jérôme GLATIGNY, Jean-Marie Simonet, Jern Wei Tan, Jerri Christiansen, Jozsef Tamas Herczeg, Khai Vu Dinh, klas 10, landor landor, Lao Neo, Lara Petersen, Le Van Thuyet, Loc Le Minh, Lu Nguyen, Marc Antoine Thevenet, Marijke Stuivenberg, Mario Proenca, Mark Dexter, Mark Lee, Matias Aguirre, Michael Babker, Mihail Irintchev, Mike Biolsi, Mike Veeckmans, Nha Bui, Nicholas Dionysopoulos, Nick Savov, Nik Faris Akmal, Ofer Cohen, Olaf Offick, Patrick Alt, Peter Martin, Peter van Westen, Peter Wiseman, Piotr Konieczny, Radek Suski, Richard McDaniel, Rob de Cleen, Robert Deutz, Robert Gastaud, Roberto Segura, Roland Dalmulder, Ronni Christiansen, Sam Teh, Sander Potjer, Sandra Thevenet, Sebastian Łuckoś›, Sergio Iglesias, Seth Warburton, Shafiq Mazlan, Stefania Gaianigo, Thomas Hunziker, Tino Brackebusch, TJ Baker, Tobias Zulauf, tompap tompap, Troy Hall, Tu Diep The, Valentin Despa, Victor Drover, Viliam Kubis, Yiliang Yang.

Bug Squad Leadership: Mark Dexter and Nick Savov, Co-Coordinators.

Joomla! Security Strike Team

A big thanks to the Joomla! Security Strike Team for their ongoing work to keep Joomla secure. Members include: Airton Torres, Alan Langford, Beat, Bill Richardson, David Hurley, Don Gilbert, Elin Waring, Gary Brooks, Jason Kendall, Jean-Marie Simonet, Marijke Stuivenberg, Mark Boos, Mark Dexter, Matias Griese, Michael Babker, Nick Savov, Pushapraj Sharma, Rouven Weßling.

• Project: Joomla!
• SubProject: All
• Severity: Moderate
• Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
• Exploit type: XSS Vulnerability
• Reported Date: 2013-October-06
• Fixed Date: 2013-November-06
• CVE Number:

Description

Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds.

Affected Installs

Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.

Solution

Upgrade to version 2.5.15, 3.1.6 or 3.2.

Contact

The JSST at the Joomla! Security Center.

The Joomla! Project and Community is excited and proud to announce the immediate availability of Joomla! CMS 3.2.0 Stable.

With literally dozens of new features including:

• Content version control
• Many user interface improvements
• Easy multi-lingual setup for 64 officially supported languages
• Built-in Joomla! Extensions Finder as an onsite interface to the Joomla! Extensions Directory (that currently lists over 4000 extensions) providing one-click extensions installation
• Increased security with strong passwords and two step authentication
• New rapid development framework for new extension coding

Joomla 3.2 is truly a Something New for Everyone release. These exciting new features are highlighted and explained in a series of short video preview tutorials: Joomla! 3.2 Video Tutorials.