SB2017110702 - Multiple vulnerabilities in Joomla!
Published: November 7, 2017
Security Bulletin ID
SB2017110702
Severity
High
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Sensitive information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to obtain user credentials.The vulnerability exists due to improper input sanitization in the LDAP authentication plugin. A remote attacker can gain disclose usernames and passwords.
The vulnerability is a result of the incomplete patch for Sensitive information disclosure vulnerability (CVE-2017-14596).
2) Authentication bypass (CVE-ID: CVE-2017-16634)
The vulnerability allows a remote attacker to bypass authentication process.The vulnerability exists due to unspecified vulnerability, which could lead to bypass a user's 2-factor-authentication method.
3) Information disclosure (CVE-ID: CVE-2017-16633)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The vulnerability exists due to a logic error within com_fields. A remote attacker can obtain information about a site's custom field.
Remediation
Install update from vendor's website.