Joomla! 1.7.x < 3.9.16 Multiple Vulnerabilities

According to its self-reported version, the instance of Joomla! running on the remote web server is 1.7.x prior to 3.9.16. It is, therefore, affected by multiple vulnerabilities :

• Missing token checks in the image actions of com_templates causes CSRF vulnerabilities. (CVE-2020-10241)

• Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allow XSS attacks. (CVE-2020-10242)

• Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors. (CVE-2020-10238)

• Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses. (CVE-2020-10240)

• Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users. (CVE-2020-10239)

• The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Featured Articles frontend menutype. (CVE-2020-10243)

Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.