Joomla 3.9.20
14 July 2020
Joomla version 3.9.20 is now available (security release).
Upgrading to Joomla 3.9.20
Joomla 3.9.20 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 3.9.20 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 3.9.20
Security
- Low Priority - Core - CSRF in com_installer ajax_install endpoint (affecting Joomla! 3.7.0 through 3.9.19) - A missing token check in the ajax_install endpoint com_installer causes a CSRF vulnerability.
- Moderate Priority - Core - Missing checks can lead to a broken usergroups table record (affecting Joomla! 2.5.0 through 3.9.19) - Missing validation checks at the usergroups table object can result into an broken site configuration.
- Low Priority - Core - CSRF in com_privacy remove-request feature (affecting Joomla! 3.9.0 through 3.9.19) - A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
- Low Priority - Core - Variable tampering via user table class (affecting Joomla! 3.0.0 through 3.9.19) - Internal read-only fields in the User table class could be modified by users.
- Low Priority - Core - Escape mod_random_image link (affecting Joomla! 3.0.0 through 3.9.19) - Lack of input filtering and escaping allows XSS attacks in mod_random_image.
- Low Priority - Core - System Information screen could expose redis or proxy credentials (affecting Joomla! 3.0.0 through 3.9.19) - Inadequate filtering in the system information screen could expose redis or proxy credentials.
Bug fixes and Improvements
- Upload & Update tab of Joomla Update Component: Fix to allow upload of ZIP filetype only #29877
- Local database server: Allow optional port numbers #29567
- Beez3 Template: Markup fix for the Tabs layout of com_contact #29636
- Beez3 Template: Allow custom field editing on frontend #29577
- Backend cache cleared when purging updates #29603