Joomla 3.9.19
3 June 2020
Joomla version 3.9.19 is now available (security release).
Upgrading to Joomla 3.9.19
Joomla 3.9.19 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 3.9.19 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 3.9.19
Security
- Low Priority - Core - XSS in modules heading tag option (affecting Joomla! 3.0.0 through 3.9.18) - Lack of input validation in the heading tag option of the "Articles – Newsflash" and "Articles - Categories" modules allow XSS attacks.
- Low Priority - Core - Inconsistent default textfilter settings (affecting Joomla! 2.5.0 through 3.9.18) - The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.
- Low Priority - Core - XSS in com_modules tag options (affecting Joomla! 3.0.0 through 3.9.18) - Incorrect input validation of the module tag option in com_modules allow XSS attacks.
- Moderate Priority - Core - XSS in jQuery.htmlPrefilter (affecting Joomla! 3.0.0 through 3.9.18) - The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others." The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.
- Low Priority - Core - CSRF in com_postinstall (affecting Joomla! 3.7.0 through 3.9.18) - Missing token checks in com_postinstall cause CSRF vulnerabilities.
Bug fixes and Improvements
- Fix incomplete utf8mb4 conversion since 3.9.17 #29117
- Backport jQuery 3.5 security fixes #28948
- Frontend: Removal of the create/edit menu item buttons #29191
- Extend the checks to make sure only real user admins can create accounts #28948
- Mail: Support of dotless domains #28576
- Codemirror updated to its latest release #28691
- Improve translation system supporting better pluralization for languages like Welsh #28763