Joomla 3.9.23
24 November 2020
Joomla version 3.9.23 is now available (security release).
Upgrading to Joomla 3.9.23
Joomla 3.9.23 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 3.9.23 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 3.9.23
Security
- [20201101] Low Priority - High Impact - Write ACL violation in multiple core views - The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.
- [20201102] Low Priority - Moderate Impact - Disclosure of secrets in Global Configuration page - The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.
- [20201103] Low Priority - Moderate Impact - Path traversal in mod_random_image - The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
- [20201104] Low Priority - High Impact - SQL injection in com_users list view - Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
- [20201105] Low Priority - Low Impact - User Enumeration in backend login - Improper handling of the username leads to a user enumeration attack vector in the backend login page.
- [20201106] Low Priority - Low Impact - CSRF in com_privacy emailexport feature - A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
- [20201107] Low Priority - High Impact - Write ACL violation in multiple core views - Lack of input validation while handling ACL rulesets can cause write ACL violations.
Bug fixes and Improvements
- In order to get Joomla ready for PHP 8 (to be released on November 26th, 2020), Joomla 3.9.23 includes fixes to ensure PHP 8 compatibility (see #31246, #30608, #30582, #29353, #30922, #31444, #31434, #31442, #31445).
- TinyMCE updated #30329
- Fix for frontend module editing permissions #30778
- Fix for the lost of transparency when cropping/resizing images #30977
- Validation rule added for the redirect header field #31016