Spett.le Visitatore,

sono stati effettuati sul Suo sito web, gli aggiornamenti di sicurezza rilasciati in data odierna 24/11/2020, relativi alle vulnerabilità elencate di seguito e pubblicate sul bollettino ufficiale CVE (Common Vulnerabilities and Exposures).

[20201101] - Core - com_finder ignores access levels on autosuggest

The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.

[20201102] - Core - Disclosure of secrets in Global Configuration page

The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

[20201103] Low Priority - Moderate Impact - Path traversal in mod_random_image

The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.

[20201104] Low Priority - High Impact - SQL injection in com_users list view

Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.

[20201105] Low Priority - Low Impact - User Enumeration in backend login

Improper handling of the username leads to a user enumeration attack vector in the backend login page.

[20201106] Low Priority - Low Impact - CSRF in com_privacy emailexport feature

A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

[20201107] Low Priority - High Impact - Write ACL violation in multiple core views

Lack of input validation while handling ACL rulesets can cause write ACL violations.

Sono inoltre stati apportati numerosi bug fixes tra cui:

• TinyMCE updated
• Fix for frontend module editing permissions
• Fix for the lost of transparency when cropping/resizing images
• Validation rule added for the redirect header field