Joomla 3.9.25
Security Issues Fixed
[20210301] Low Severity - Low Impact - Insecure randomness within 2FA secret generation (affecting Joomla! 3.2.0 through 3.9.24)[20210302] Low Severity - Low Impact - Potential Insecure FOFEncryptRandval (affecting Joomla! 3.2.0 through 3.9.24)[20210303] Low Severity - Moderate Impact - XSS within alert messages showed to users (affecting Joomla! 2.5.0 through 3.9.24)[20210304] Low Severity - Moderate Impact - XSS within the feed parser library (affecting Joomla! 2.5.0 through 3.9.24)[20210305] Low Severity - Low Impact - Input validation within the template manager (affecting Joomla! 3.2.0 through 3.9.24)[20210306] Low Severity - Moderate Impact - com_media allowed paths that are not intended for image uploads (affecting Joomla! 3.0.0 through 3.9.24)[20210307] Low Severity - Moderate Impact - ACL violation within com_content frontend editing (affecting Joomla! 3.0.0 through 3.9.24)[20210308] Low Severity - Moderate Impact - Path Traversal within joomla/archive zip class (affecting Joomla! 3.0.0 through 3.9.24)[20210309] Low Severity - Moderate Impact - Inadequate filtering of form contents could allow to overwrite the author field (affecting Joomla! 1.6.0 through 3.9.24)
Bug fixes and Improvements
Fix Save as Copy tagFix published attribute for Tag fieldFix batch menu itemsStream transport should enable verify_peer_name when possibleOptimize the code for rename incorrectly cased files on updateAddional PHP 8 improvments
Joomla 3.9.24
Security Issues Fixed
[20210101] Low Severity - Low Impact - com_modules exposes module names (affecting Joomla! 3.0.0 through 3.9.23) [20210102] Low Severity - Moderate Impact - XSS in mod_breadcrumbs aria-label attribute (affecting Joomla! 3.9.0 through 3.9.23) [20210103] Low Severity - Moderate Impact - XSS in com_tags image parameters (affecting Joomla! 3.1.0 through 3.9.23)
Bug fixes and Improvements
Continuing to improve PHP 8 support Solved performance issue with zip archives containing zip files Removes deprecate feature-policy and adds the new Permissions Policy Update joomla/image dependency Fixed regression SMTP Settings Test Fixed regression to save empty passwords in global configuration
Joomla 3.9.23
Security Issues Fixed
Low Priority - High Impact - Write ACL violation in multiple core views (affecting Joomla! 2.5.0 through 3.9.22)Low Priority - Moderate Impact - Disclosure of secrets in Global Configuration page (affecting Joomla! 2.5.0 through 3.9.22)Low Priority - Moderate Impact - Path traversal in mod_random_image (affecting Joomla! 2.5.0 through 3.9.22) Low Priority - High Impact - SQL injection in com_users list view (affecting Joomla! 3.0.0 through 3.9.22)Low Priority - Low Impact - User Enumeration in backend login (affecting Joomla! 3.9.0 through 3.9.22)Low Priority - Low Impact - CSRF in com_privacy emailexport feature (affecting Joomla! 3.9.0 through 3.9.22)Low Priority - High Impact - Write ACL violation in multiple core views (affecting Joomla! 1.7.0 through 3.9.22)
Bug fixes and Improvements
TinyMCE updated Fix for frontend module editing permissions Fix for the lost of transparency when cropping/resizing images Validation rule added for the redirect header field
Joomla 3.9.22
Bug fixes and Improvements
Contact component: Fix for the category filter results Page Break: Fix for the page break title when the title attribute is after the class Privacy Request: Fix the token check when removing data via a privacy removal request Multilanguage: Display an error when the URL language code is saved as empty Multilanguage: Force lowercase for url language code
Joomla 3.9.21
Security Issues Fixed
Low Priority - Core - XSS in mod_latestactions (affecting Joomla! 3.9.0 through 3.9.20) Low Priority - Core - Open redirect in com_content vote feature (affecting Joomla! 3.0.0 through 3.9.20) Low Priority - Core - Directory traversal in com_media (affecting Joomla! 2.5.0 through 3.9.20)
Bug fixes and Improvements
TinyMCE updated CodeMirror updated Upload Package File / Joomla Update : Upload file size check added Actions Log: Log an event when Joomla is updated
Joomla 3.9.20 Release
Security Issues Fixed
Low Priority - Core - CSRF in com_installer ajax_install endpoint (affecting Joomla! 3.7.0 through 3.9.19)Moderate Priority - Core - Missing checks can lead to a broken usergroups table record (affecting Joomla! 2.5.0 through 3.9.19)Low Priority - Core - CSRF in com_privacy remove-request feature (affecting Joomla! 3.9.0 through 3.9.19)Low Priority - Core - Variable tampering via user table class (affecting Joomla! 3.0.0 through 3.9.19)Low Priority - Core - Escape mod_random_image link (affecting Joomla! 3.0.0 through 3.9.19)Low Priority - Core - System Information screen could expose redis or proxy credentials (affecting Joomla! 3.0.0 through 3.9.19)
Bug fixes and Improvements
Upload & Update tab of Joomla Update Component: Fix to allow upload of ZIP filetype onlyLocal database server: Allow optional port numbersBeez3 Template: Markup fix for the Tabs layout of com_contactBeez3 Template: Allow custom field editing on frontendBackend cache cleared when purging updates
Joomla 3.9.19 Relase
Security Issues Fixed
Low Priority - Core - XSS in modules heading tag option (affecting Joomla! 3.0.0 through 3.9.18) Low Priority - Core - Inconsistent default textfilter settings (affecting Joomla! 2.5.0 through 3.9.18) Low Priority - Core - XSS in com_modules tag options (affecting Joomla! 3.0.0 through 3.9.18) Moderate Priority - Core - XSS in jQuery.htmlPrefilter (affecting Joomla! 3.0.0 through 3.9.18) Low Priority - Core - CSRF in com_postinstall (affecting Joomla! 3.7.0 through 3.9.18)
Bug fixes and Improvements
Fix incomplete utf8mb4 conversion since 3.9.17 Backport jQuery 3.5 security fixes Frontend: Removal of the create/edit menu item buttons Extend the checks to make sure only real user admins can create accounts Mail: Support of dotless domains Codemirror updated to its latest release Improve translation system supporting better pluralization for languages like Welsh
Joomla 3.9.18 Release
Bug fixes and Improvements
Fixes the single tag view incorrectly showing a 404 page
Joomla 3.9.17 Release
Security Issues Fixed
Low Priority - Core - Incorrect access control in com_users access level editing function (affecting Joomla 3.8.8 through 3.9.16)Low Priority - Core - Missing checks for the root usergroup in usergroup table (affecting Joomla 2.5.0 through 3.9.16)Low Priority - Core - Incorrect access control in com_users access level deletion function (affecting Joomla 2.5.0 through 3.9.16)
Bug fixes and Improvements
Removal of an unneeded file added to 3.9.16Multilingual Associations: Fix for the Edit Associations buttons in Menu Items #28339 and in CategoryPHPMailer upgraded to its latest version'New' MVC classes depreciation notice for 4.0 instead of 5.0Facilitate the usage of help system by third partiesPostgreSQL: Fix for module loading
Joomla 3.9.16 Release
Security Issues Fixed
Low Priority - Core - SQL injection in Featured Articles menu parameters (affecting Joomla 1.7.0 through 3.9.15)Low Priority - Core - CSRF in com_templates image actions (affecting Joomla 3.2.0 through 3.9.15)Low Priority - Core - XSS in Protostar and Beez3 (affecting Joomla 3.0.0 through 3.9.15)Low Priority - Core - Incorrect Access Control in com_templates (affecting Joomla 2.5.0 through 3.9.15)Low Priority - Core - Identifier collisions in com_users (affecting Joomla 3.0.0 through 3.9.15)Low Priority - Core - Incorrect Access Control in com_fields SQL field (affecting Joomla 3.7.0 through 3.9.15)
Bug fixes and Improvements
Link rel attributes: ‘noopener’ attributes #28005, ‘sponsored’ and ‘ugc’ attributesFields - Imagelist: Correct the display of the folder structurePopular Tags Module fixUser - Contact Creator plugin: catid fixed
Joomla 3.9.15 Release
Security Issues Fixed
Low Priority - Core - CSRF in batch actions (affecting Joomla 3.0.0 through 3.9.14) Low Priority - Core - CSRF com_templates LESS compiler (affecting Joomla 3.0.0 through 3.9.14) Low Priority - Core - XSS in com_actionlogs (affecting Joomla 3.9.0 through 3.9.14)
Bug fixes and Improvements
Beez Template: Fix the consent field modal Action Log emails: Use of absolute URLs TinyMCE fixes User email addresses: Case insensitive management Prevent library extensions to overwrite core files
Joomla 3.9.14 Release
Security Issues Fixed
Low Priority - Core - Path Disclosure in framework files (affecting Joomla 3.8.0 through 3.9.13)Low Priority - Core - Various SQL injections through configuration parameters (affecting Joomla 2.5.0 through 3.9.13)
Bug fixes and Improvements
Improve PHP 7.4 compatibilityFix incorrect id generated for input fields in repetable subformFix Sample Data LearnAllow JSON Document cachingAvoid errors when Joomla! gets outdatedShow full video filename and preview icon in Media Manager
Joomla 3.9.13 Release
Security Issues Fixed
Low Priority - Core - CSRF in com_template overrides view (affecting Joomla 3.2.0 through 3.9.12) Low Priority - Core - Path Disclosure in phpuft8 mapping files (affecting Joomla 3.6.0 through 3.9.12)
Bug fixes and Improvements
Improve PHP 7.4 compatibility Improve reverse proxy support Fix active category detection Fix message filtering Improve sending mass mail
Joomla 3.9.12 Release
Security Issues Fixed
Low Priority - Core - XSS in logo parameter of default templates (affecting Joomla 3.0.0 through 3.9.11)
Bug fixes and Improvements
Fix for minyear and maxyear in the calendar Handle Google Font weights and styles in Protostar Fix user session on mssql server Protect SQL servers by adding pause mechanism to cli finder indexer Fix Imagelist custom field default image
Joomla 3.9.11 Release
Security Issues Fixed
Low Priority - Core - Hardening com_contact contact form (affecting Joomla 1.6.2 through 3.9.10)
Bug fixes and Improvements
Custom Fields: Fix language strings/unknown columns/sorting Creating categories on the fly with numbers Fix database schema checker for MySQL 8 Tree sorting in templates file tree Improved PHP 7.4 compatibility
Joomla 3.9.10 Release
Joomla 3.9.10 is fixing one bug introduced into Joomla 3.9.9 which affects the template styles of multilingual sites and results in lost data.
Joomla 3.9.9 Release
Security Issues Fixed
Low Priority - Core - Filter attribute in subform fields allows remote code execution (affecting Joomla 3.9.7 through 3.9.8)
Bug fixes and Improvements
Repeatable Custom Fields: fix to keep HTML tags #25189 Media Manager: Modal layout improved #22475 Voting: Cache cleaned after voting #25201 Article ordering: Items grouped by category first #25295 Batch system: Improvements for Contact and Newsfeed #25259
Joomla 3.9.8 Release
Joomla 3.9.8 is fixing one bug introduced into Joomla 3.9.7, due to the removal of the French Help Server.
Joomla 3.9.7 Release
Security Issues Fixed
Low Priority - Core - CSV injection in com_actionlogs (affecting Joomla 3.9.0 through 3.9.6) Low Priority - Core - XSS in subform field (affecting Joomla 3.6.0 through 3.9.6) Low Priority - Core - ACL hardening of com_joomlaupdate (affecting Joomla 3.8.13 through 3.9.6)
Bug fixes and Improvements
Batch system: Copy permissions of modules #24737 and categories #24730 Progessive cache improvements #20310 Fix to avoid duplicated custom fields in com_content #24516 RTL improvements #23107 #24722 Removal of the unofficial French Help Server #24927 TinyMCE improvements: #24978 #25037 RSS: Fix to display the right category #24932 Media Manager: Fix directory traversal for symlinked folders #24924 User registration: Correct http schema used #24089
Joomla 3.9.6 Release
Security Issues Fixed
Low Priority - Core - XSS in com_users ACL debug views (affecting Joomla 1.7.0 through 3.9.5) Low Priority - Core - By-passing protection of Phar Stream Wrapper Interceptor (affecting Joomla 3.9.3 through 3.9.5)
Bug fixes and Improvements
Media Manager: Fix logic in file upload check introduced in 3.9.5 #24637 Edge Chromium support added #24379 User Notes: Fix date format #24529 Frontend editing: article category editable by Publishers and up #24640 Cache: Cache folder automatically created if it doesn’t exist #21952 PostgreSQL database improvements #24682 #24683 #24652
Joomla 3.9.5 Release
Security Issues Fixed
Low Priority - Core - Directory Traversal in com_media (affecting Joomla 1.5.0 through 3.9.4) High Priority - Core - Helpsites refresh endpoint callable for unauthenticated users (affecting Joomla 3.2.0 through 3.9.4) Moderate Priority - Core - Object.prototype pollution in JQuery $.extend (affecting Joomla 3.0.0 through 3.9.4)
Bug fixes and Improvements
User Password: Add minimum lowercase rule for password validation #24230 Associations tab: Fix wrong behaviour of Indonesian language #24244 Debug language: Fix User Actions Log Manager #24178 New installation language: Kazakh #24233 Google Authenticator plugin (2FA): QR-code generator implemented #24255
Joomla 3.9.4 Release
Security Issues Fixed
High Priority - Core - Missing ACL check in sample data plugins (affecting Joomla 3.8.0 through 3.9.3) Low Priority - Core - XSS in com_config JSON handler (affecting Joomla 3.2.0 through 3.9.3) Low Priority - Core - XSS in item_title layout (affecting Joomla 3.0.0 through 3.9.3) Low Priority - Core - XSS in media form field (affecting Joomla 3.0.0 through 3.9.3)
Bug fixes and Improvements
User Terms (#23787) and Privacy Consent (#23660) plugins: Layouts for the label and message added Featured articles: Page subheading added #23583 Custom formfield layout paths simplified #22645 Com_contact: Contact name field moved out of the Contact Information block #23563 Custom module: Improvement of the frontend editing #23741 Action Logs improvement: Cache (#22739) and Purge/Export (#22740) actions are now logged
Joomla 3.9.3 Release
Security Issues Fixed
Low Priority - Core - Lack of URL filtering in various core components (affecting Joomla 2.5.0 through 3.9.2) Low Priority - Core - Browserside mime-type sniffing causes XSS attack vectors (affecting Joomla 1.0.0 through 3.9.2) Low Priority - Core - Additional warning in the Global Configuration textfilter settings (affecting Joomla 2.5.0 through 3.9.2) Low Priority - Core - Stored XSS issue in the Global Configuration help url #2 (affecting Joomla 2.5.0 through 3.9.2) Low Priority - Core - XSS Issue in core.js writeDynaList (affecting Joomla 2.5.0 through 3.9.2) Low Priority - Core - Implement the TYPO3 PHAR stream wrapper (affecting Joomla 2.5.0 through 3.9.2)
Bug fixes and Improvements
Prevent renaming/deleting the template index.php file #23654 Smart Search improvement #23736 Contacts banned fields removed #23585 Improvement of the Integration tab display #23711 Fix the category filter for featured articles #23454 Fix for the Template Style field in the menu manager #23556 Breadcrumbs for tags #23599
Joomla 3.9.2 Release
Security Issues Fixed
Low Priority - Core - Stored XSS in mod_banners (affecting Joomla 2.5.0 through 3.9.1) Low Priority - Core - Stored XSS in com_contact (affecting Joomla 2.5.0 through 3.9.1) Low Priority - Core - Stored XSS issue in the Global Configuration textfilter settings (affecting Joomla 2.5.0 through 3.9.1) Low Priority - Core - Stored XSS issue in the Global Configuration help url (affecting Joomla 2.5.0 through 3.9.1)
Bug fixes and Improvements
Fixes for states in com_finder (#23194), com_banners (#23193), com_messages (#23192), com_users notes (#23191) Removal of the Caching field in the languages (#23174), syndicate (#23166), random image (#23165), and login modules (#23152) Editors API extended #23224 Menu Item Alias type: Redirection is optional #23278 com_media: Normalisation of uploaded file names (#23259) Code cleanup and namespacing
Joomla 3.9.1 Release
Fix for the automatic title option of the Latest Actions admin module #22925 Com_privacy: Redirected to the privacy request form after login #22927 Update to TinyMCE 4.5.9 #22879 Performance improvement for the category and tag managers #22117 Fix for the delete module positions issue #22935 Preventing the System Privacy Consent plugin from running when logging out through a menu item #22939 Content - Page Break plugin: Possibility to use a template override for Previous/Next pagination #22932 Fix navigation to the first page in pagination when SEF is off #23042 System - User Actions Log plugin: Removal of the number of days limitation #23084
