Joomla 5.2.3
7 January 2025
Joomla version 5.2.3 is now available (security release).
Upgrading to Joomla 5.2.3
Joomla 5.2.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 5.2.3 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 5.2.3
Security
- [20250101] - Core - XSS vectors in module chromes
- [20250102] - Core - XSS vector in the id attribute of menu lists
- [20250103] - Core - Read ACL violation in multiple core views
Bug Fixes and Changes
- Fix joomlaExtButtons TinyMCE plugin, buttons validation (#44507)
- Email Validation apostrophe (#44527)
- Set correct AssetTitle and AssetParentId (#42493)
- Remove empty images and anchors from mod articles_news (#42493), mod articles_category (#44478) and (#44475)
- Remove wrong class in cancel link in add verification code frontend page (#44473)
- Allow multiselect for checkboxes (#44500)
- postgres and finder suggestions (#44384)
- Pre-update check for extensions AllowDynamicProperties (#44307)
- Fix PHPCS nullable parameter (#44543)
- Fix double closing Curly braces in inline style (#44532)
- Uncaught TypeError: can't access property "getAttribute", toggleButton is null (#44555)
- Plugins: Search not case-insensitive for unicode language (#44525)
- Fix increment on non-alphanumeric string deprecation (#44173)
- User: Don't reset newly set requireReset (#44519)
- CoreButtonsTrait back() generates wrong button text (#44509)
- Tags: Make router discover 404s properly (#44540)
- Catch exception to get the user in the action log model (#44358)
- Fix return typehint in IdentityAware trait (#44567)
- Composer update joomla/application to 3.0.3 to fix PHP deprecations in Web Client (#44585)
- User: Allow MFA before password reset (#44521)
- Fix duplicate entry with the action logs by removing the second call to onJoomlaAfterUpdate (#44629)
- [CLI] extension:remove -n option "Invalid Response" fix (#44546)
- Privacy: Allow MFA and invalid privacy consents (#44522)
- Refresh changelog URL on manifest cache refresh (#44565)