{"id":2330,"date":"2020-09-09T15:33:05","date_gmt":"2020-09-09T20:33:05","guid":{"rendered":"https:\/\/cert.pa\/?p=2330"},"modified":"2020-09-11T19:05:56","modified_gmt":"2020-09-12T00:05:56","slug":"csirt-panama-aviso-2020-09-09-joomla-actualizacion-de-seguridad-de-joomla-3-9-21","status":"publish","type":"post","link":"https:\/\/cert.pa\/?p=2330","title":{"rendered":"CSIRT Panam\u00e1 Aviso 2020-09-09 Joomla: Actualizaci\u00f3n de seguridad de Joomla 3.9.21"},"content":{"rendered":"\n<p> <br>Gravedad: Media\u00a0\u00a0                                                                                                                Fecha de publicaci\u00f3n: Septiembre 9, 2020<br> \u00daltima revisi\u00f3n: Septiembre 9, 2020<br> Portal: https:\/\/www.joomla.org\/  <br>Sistemas Afectados: Diversas afectaciones en el gestor de contenido Joomla en distintas versiones \u00a0desde el 2.5.0\u2013 3.9.20. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>I.    Descripci\u00f3n<\/strong><br> Mitigaci\u00f3n para 3 vulnerabilidades que afectan al gestor de contenidos Joomla.<\/p>\n\n\n\n<p><br><strong> II.    Impacto<\/strong><br><strong> Vulnerabilidad:<\/strong> CVE-2020-24599<br> La falta de escape de datos ingresados por un usuario en \u201cmod_latestactions\u201d permitir\u00eda a un atacante realizar ataques XSS (Cross-site Scripting). <br> <strong>Productos Afectados: Versiones 3.9.0 \u2013 3.9.20.<\/strong><\/p>\n\n\n\n<p><br><strong> Vulnerabilidad: <\/strong>CVE-2020-24598<br> La falta de escape de datos ingresados por un usuario en \u201ccom_content\u201d permitir\u00eda a un atacante realizar un ataque Open-Redirect a una v\u00edctima, haci\u00e9ndola caer en un posible ataque Phishing.  <br><strong>Productos Afectados: Versiones 3.0.0 \u2013 3.9.20.<\/strong> <\/p>\n\n\n\n<p> <strong>Vulnerabilidad:<\/strong> CVE-2020-24597<br> La falta de validaci\u00f3n de datos ingresados por un usuario permite la exposici\u00f3n de la ruta a la ra\u00edz de \u201ccom_media\u201d fuera del \u201cwebroot\u201d (ra\u00edz del servidor web).  <br> <strong>Productos Afectados:<\/strong> Versiones 2.5.0 \u2013 3.9.20. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>III. Referencia a soluciones, herramientas e informaci\u00f3n<\/strong><br> Se recomienda actualizar el gestor de contenido Joomla a la versi\u00f3n 3.9.21, mediante su sitio oficial (https:\/\/downloads.joomla.org\/).<br> <\/p>\n\n\n\n<p><strong>Fuentes:<\/strong><br> 1. Joomla. Recopilado en: <a href=\"https:\/\/developer.joomla.org\/security-centre\/824-20200801-core-xss-in-mod-latestactions.html\">https:\/\/developer.joomla.org\/security-centre\/824-20200801-core-xss-in-mod-latestactions.html<\/a><br>2. Joomla. Recopilado en: <a href=\"https:\/\/developer.joomla.org\/security-centre\/825-20200802-core-open-redirect-in-com-content-vote-feature.html\">https:\/\/developer.joomla.org\/security-centre\/825-20200802-core-open-redirect-in-com-content-vote-feature.html<\/a><br> 3. Joomla. Recopilado en: <a href=\"https:\/\/developer.joomla.org\/security-centre\/827-20200803-core-directory-traversal-in-com-media.html\">https:\/\/developer.joomla.org\/security-centre\/827-20200803-core-directory-traversal-in-com-media.html<\/a> <br>4.  CSIRT Chile. 7 de septiembre del 2020. Vulnerabilidades. Recopilado en: <a href=\"https:\/\/www.csirt.gob.cl\/vulnerabilidades\/9vsa20-00295-01\/\">https:\/\/www.csirt.gob.cl\/vulnerabilidades\/9vsa20-00295-01\/<\/a><\/p>\n\n\n\n<p><strong>Informaci\u00f3n de contacto<\/strong><br> CSIRT PANAMA<br> Computer Security Incident Response Team Autoridad Nacional para la Innovacion Gubernamental<br> E-Mail: info@cert.pa<br> Phone: +507 520-CERT (2378)<br> Web: https:\/\/cert.pa<br> Twitter: @CSIRTPanama<br> Key ID: 16F2B124<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gravedad: Media\u00a0\u00a0 Fecha de publicaci\u00f3n: Septiembre 9, 2020 \u00daltima revisi\u00f3n: Septiembre 9, 2020 Portal: https:\/\/www.joomla.org\/ Sistemas Afectados: Diversas afectaciones en el gestor de contenido Joomla en distintas versiones \u00a0desde el 2.5.0\u2013 3.9.20. I. Descripci\u00f3n Mitigaci\u00f3n&#8230;<\/p>\n","protected":false},"author":4,"featured_media":460,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-avisos-de-seguridad"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2330"}],"version-history":[{"count":3,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2330\/revisions"}],"predecessor-version":[{"id":2337,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2330\/revisions\/2337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/media\/460"}],"wp:attachment":[{"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}