Joomla 3.9.16
10 March 2020
Joomla version 3.9.16 is now available (security release).
Upgrading to Joomla 3.9.16
Joomla 3.9.16 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 3.9.16 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 3.9.16
Security
- Low Priority - Core - SQL injection in Featured Articles menu parameters (affecting Joomla 1.7.0 through 3.9.15) - The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the "Featured Articles" frontend menutype.
- Low Priority - Core - CSRF in com_templates image actions (affecting Joomla 3.2.0 through 3.9.15) - Missing token checks in the image actions of com_templates causes CSRF vulnerabilities.
- Low Priority - Core - XSS in Protostar and Beez3 (affecting Joomla 3.0.0 through 3.9.15) - Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks.
- Low Priority - Core - Incorrect Access Control in com_templates (affecting Joomla 2.5.0 through 3.9.15) - Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
- Low Priority - Core - Identifier collisions in com_users (affecting Joomla 3.0.0 through 3.9.15) - Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.
- Low Priority - Core - Incorrect Access Control in com_fields SQL field (affecting Joomla 3.7.0 through 3.9.15) - Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
Changes
- Link rel attributes: ‘noopener’ attributes, ‘sponsored’ and ‘ugc’ attributes
- Fields - Imagelist: Correct the display of the folder structure
- Popular Tags Module fix
- User - Contact Creator plugin: catid fixed