Multiple vulnerabilities in Joomla!

Published: 2017-11-07 16:25:44
Severity High
Patch available YES
Number of vulnerabilities 3
CVSSv2 3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
5 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-16634
CVE-2017-16633
CWE ID CWE-200
CWE-287
Exploitation vector Network
Public exploit Not available
Vulnerable software Joomla!
Vulnerable software versions Joomla! 3.7.5
Joomla! 3.7.4
Joomla! 3.7.3
Show more
Vendor URL Joomla!
Advisory type Public

Security Advisory

1) Sensitive information disclosure

Description

The vulnerability allows a remote attacker to obtain user credentials.

The vulnerability exists due to improper input sanitization in the LDAP authentication plugin. A remote attacker can gain disclose usernames and passwords.

The vulnerability is a result of the incomplete patch for Sensitive information disclosure vulnerability (CVE-2017-14596).

Remediation

Update to version 3.8.2.

External links

https://developer.joomla.org/security-centre.html

2) Authentication bypass

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to unspecified vulnerability, which could lead to bypass a user's 2-factor-authentication method.

Remediation

Update to version 3.8.2.

External links

https://developer.joomla.org/security-centre.html

3) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to a logic error within com_fields. A remote attacker can obtain information about a site's custom field.

Remediation

Update to version 3.8.2.

External links

https://developer.joomla.org/security-centre.html

Back to List