Joomla 3.9.28
7 July 2021
Joomla version 3.9.28 is now available (security release).
Upgrading to Joomla 3.9.28
Joomla 3.9.28 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 3.9.28 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 3.9.28
Security
- Low Severity - Low Impact - XSS in JForm Rules field (affecting Joomla! 3.0.0 through 3.9.27) - Inadequate escaping in the Rules field of the JForm API leads to a XSS vulnerability.
- Low Severity - Low Impact - DoS through usergroup table manipulation (affecting Joomla! 2.5.0 through 3.9.27) - Missing validation of input could lead to a broken usergroups table.
- Low Severity - Moderate Impact - Lack of enforced session termination (affecting Joomla! 2.5.0 through 3.9.27) - Various CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
- Low Severity - High Impact - Privilege escalation through com_installer (affecting Joomla! 2.5.0 through 3.9.27) - Install action in com_installer lack the required hardcoded ACL checks for superusers, leading to various potential attack vectors. A default system is not affected cause by default com_installer is limited to super users already.
- Low Severity - Moderate Impact - XSS in com_media imagelist (affecting Joomla! 3.0.0 through 3.9.27) - Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.
Bug Fixes
- Update CA certificates #34693
- Smart Search: Fix inserting tokens to DB #34497
- Fix search suggestions for mixed-case searches #33942