{"id":2777,"date":"2021-07-07T15:25:56","date_gmt":"2021-07-07T20:25:56","guid":{"rendered":"https:\/\/cert.pa\/?p=2777"},"modified":"2021-07-07T15:25:56","modified_gmt":"2021-07-07T20:25:56","slug":"csirt-panama-aviso-2021-06-01-joomla-actualizacion-de-seguridad-de-joomla-3-9-28","status":"publish","type":"post","link":"https:\/\/cert.pa\/?p=2777","title":{"rendered":"CSIRT Panam\u00e1 Aviso 2021-06-01 Joomla: Actualizaci\u00f3n de seguridad de Joomla 3.9.28"},"content":{"rendered":"\n<p><strong>Gravedad: Alta<\/strong><br>Fecha de publicaci\u00f3n: Julio 7, 2021<br>\u00daltima revisi\u00f3n: Julio 7, 2021<br>Sitio web: https:\/\/www. joomla.org\/<br>Sistemas Afectados: las versiones<br>\u2022 desde la 3.0.0, hasta la 3.9.27.<br>\u2022 desde la 2.5.0, hasta la 3.9.27.<\/p>\n\n\n\n<p><strong>I. Descripci\u00f3n<\/strong><br>Vulnerabilidades en productos Joomla, afectando especialmente el n\u00facleo, de los tipos validaci\u00f3n inadecuada de campos, falta de validaci\u00f3n de los datos de entrada, cierre de sesi\u00f3n inadecuado tras un cambio de contrase\u00f1a y ausencia de comprobaciones ACL.<\/p>\n\n\n\n<p><strong>II. Impacto<\/strong><br><em>Vulnerabilidad: CVE-2021-26035<\/em><br>La validaci\u00f3n inadecuada en el campo Rules de la API de JForm conduce a una vulnerabilidad XSS.<br><em>Vulnerabilidad: CVE-2021-26036<\/em><br>La falta de validaci\u00f3n de los datos de entrada podr\u00eda perjudicar la tabla de grupos de usuarios.<br><em>Vulnerabilidad: CVE-2021-26037<\/em><br>Varias funciones del CMS no terminaban correctamente las sesiones de usuario existentes cuando se cambiaba la contrase\u00f1a de un usuario o se le bloqueaba.<br><em>Vulnerabilidad: CVE-2021-26038<\/em><\/p>\n\n\n\n<p>La acci\u00f3n de instalaci\u00f3n en com_installer carece de las comprobaciones ACL necesarias para los superusuarios, lo que podr\u00eda conducir a varios vectores de ataque. Un sistema por defecto no se ve afectado porque com_installer est\u00e1 limitado a los superusuarios.<br><em>Vulnerabilidad: CVE-2021-26039<\/em><br>La validaci\u00f3n inadecuada en la vista imagelist de com_media conduce a una vulnerabilidad XSS.<\/p>\n\n\n\n<p><strong>III. Referencia a soluciones, herramientas e informaci\u00f3n<\/strong><br>Actualizar las versiones de Joomla a 3.9.28 mediante el siguiente enlace: https:\/\/www.joomla.org\/announcements\/release-news\/5840-joomla-3-9-28.html<\/p>\n\n\n\n<p><strong>Fuentes:<\/strong><br>\uf0a7 Instituto Nacional de Ciberseguridad, INCIBE. Avisos Seguridad, Actualizaci\u00f3n de seguridad de Joomla. 7 de julio del 2021. Recopilado en: https:\/\/www.incibe-cert.es\/alerta-temprana\/avisos-seguridad\/actualizacion-seguridad-joomla-3928<br>\uf0a7 Security Announcements. Core &#8211; XSS in JForm Rules field. Recopilado en: https:\/\/developer.joomla.org\/security-centre\/856-20210701-core-xss-in-jform-rules-field.html<br>\uf0a7 Security Announcements. Core &#8211; DoS through usergroup table manipulation. Recopilado en: https:\/\/developer.joomla.org\/security-centre\/857-20210702-core-dos-through-usergroup-table-manipulation.html<br>\uf0a7 Security Announcements. Core &#8211; Lack of enforced session termination. Recopilado en: https:\/\/developer.joomla.org\/security-centre\/858-20210703-core-lack-of-enforced-session-termination.html<br>\uf0a7 Security Announcements. Core &#8211; XSS in com_media imagelist. Recopilado en: https:\/\/developer.joomla.org\/security-centre\/860-20210705-core-xss-in-com-media-imagelist.html<br>\uf0a7 Security Announcements. Core &#8211; Privilege escalation through com_installer. Recopilado en: https:\/\/developer.joomla.org\/security-centre\/859-20210704-core-privilege-escalation-through-com-installer.html<br>\uf0a7 Joomla 3.9.28 Release. 6 de julio del 2021. Recopilado en: https:\/\/www.joomla.org\/announcements\/release-news\/5840-joomla-3-9-28.html<\/p>\n\n\n\n<p><strong>Informaci\u00f3n de contacto<\/strong><br>CSIRT PANAMA<br>Computer Security Incident Response Team Autoridad Nacional para la Innovacion Gubernamental<br>E-Mail: info@cert.pa<br>Phone: +507 520-CERT (2378)<br>Web: https:\/\/cert.pa<br>Twitter: @CSIRTPanama<br>Key ID: 16F2B124<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gravedad: AltaFecha de publicaci\u00f3n: Julio 7, 2021\u00daltima revisi\u00f3n: Julio 7, 2021Sitio web: https:\/\/www. joomla.org\/Sistemas Afectados: las versiones\u2022 desde la 3.0.0, hasta la 3.9.27.\u2022 desde la 2.5.0, hasta la 3.9.27. I. Descripci\u00f3nVulnerabilidades en productos Joomla, afectando&#8230;<\/p>\n","protected":false},"author":4,"featured_media":460,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2777","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-avisos-de-seguridad"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2777","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2777"}],"version-history":[{"count":1,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2777\/revisions"}],"predecessor-version":[{"id":2778,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/2777\/revisions\/2778"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/media\/460"}],"wp:attachment":[{"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}