There is an incomplete check that is done on the $_JEXEC variable. So, it is possible that an XSS (Cross-Site-Scripting) issue occurs. It is recommended to upgrade the application to Joomla! 4.2.1 or higher. You can also upgrade the application to Joomla! 5.0.0 by following the steps discussed in the Joomla Upgrade Guide. Another issue was found in Joomla! 3.10.0 where the password reset email was not sent to the email specified in the user profile. So, it is recommended to upgrade the application to Joomla! 3.11.0 or higher.

Joomla! 3.9.0

Upgrade Requirements
Joomla! 3.9.0 is a major release of the Joomla! CMS, and as such requires upgrades for all components.
The following components are affected:
- Core - versions 1.7 and 1.8
- Component - versions 3.0 and 3.1
- Extensions - versions 3.2, 3.3, 3.4, 3.5, 4.0, 5.0

Joomla! 3.10.0

- The Missing Password Reset Email
Joomla! 3.10.0 is vulnerable to an issue where the password reset email was not sent to the email specified in the user profile. This means that a potential hacker could gain access to the account by following these steps:
1) Add a new user with your email address specified as their username
2) Change their password as you would in any other case
3) Receive an email from Joomla! informing you that you have been locked out of your account

Install the latest Joomla !

For Joomla! 3.11.0 or higher, it is recommended to install the latest version of Joomla!.

Timeline

Published on: 08/31/2022 10:15:00 UTC
Last modified on: 09/05/2022 03:20:00 UTC

References