User tests: Successful: Unsuccessful:
Joomla 3.9.26 had last min security fixes added to it by the JSST
One of these security issues was not fixed in all places.
This commit 6c7b17c#diff-36647192855b2ef14c990918bb56b4da7ac2d012fece3b98f3090d95fcd3abe2R44 also needs to be made to the offline.php file.
Thanks to @C-Lodder for reporting.
|Category||⇒||Front End Templates (site)|
Will this be fixed in the next version or will there be a new update package?
Not my decision. Just another sloppy JSST security fix :-(
Out of curiosity why is this a security problem or even a problem at all?
Template editing is allowed only from Super Users. Also, this field accepts only a URL path, so I find this extremely weird that a superuser decides to alter the logo and inject faulty code. Or it's just me...
Ask the @joomla/security JSST team. Im not part of that team. Im not privileged to see the original reports.
I know as much as everyone else - and that is its "Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages" as per https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html
@PhilETaylor I'm not trying to blame you here, just to understand why this is treated as insecure
Edit also why there's no validator/sanitiser for media field: https://github.com/joomla/joomla-cms/tree/staging/libraries/src/Form/Rule
|Status||Pending||⇒||Ready to Commit|
|Status||Ready to Commit||⇒||Fixed in Code Base|
|Closed_Date||0000-00-00 00:00:00||⇒||2021-04-16 07:52:42|