Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386169 - www-apps/joomla: Unspecified vulnerability (CVE-2011-{2488,2509,2710,3747})
Summary: www-apps/joomla: Unspecified vulnerability (CVE-2011-{2488,2509,2710,3747})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
: 385493 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-10-07 23:16 UTC by GLSAMaker/CVETool Bot
Modified: 2011-10-09 10:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 23:16:14 UTC 
CVE-2011-3747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3747):
  Joomla! 1.6.0 allows remote attackers to obtain sensitive information via a
  direct request to a .php file, which reveals the installation path in an
  error message, as demonstrated by
  libraries/phpmailer/language/phpmailer.lang-joomla.php.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:20:29 UTC 
CVE-2011-2710 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2710):
  Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0
  allow remote attackers to inject arbitrary web script or HTML via (1) the
  URI to includes/application.php, reachable through index.php; and, when
  Internet Explorer or Konqueror is used, (2) allow remote attackers to inject
  arbitrary web script or HTML via the searchword parameter in a search action
  to index.php in the com_search component.  NOTE: vector 2 exists because of
  an incomplete fix for CVE-2011-2509.5.

CVE-2011-2509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2509):
  Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4
  allow remote attackers to inject arbitrary web script or HTML via (1) the
  query string to the com_contact component, as demonstrated by the Itemid
  parameter to index.php; (2) the query string to the com_content component,
  as demonstrated by the filter_order parameter to index.php; (3) the query
  string to the com_newsfeeds component, as demonstrated by an arbitrary
  parameter to index.php; or (4) the option parameter in a reset.request
  action to index.php; and, when Internet Explorer or Konqueror is used, (5)
  allow remote attackers to inject arbitrary web script or HTML via the
  searchword parameter in a search action to index.php in the com_search
  component.

CVE-2011-2488 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2488):
  Joomla! before 1.5.23 does not properly check for errors, which allows
  remote attackers to obtain sensitive information via unspecified vectors.

CVE-2010-4837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4837):
  Cross-site scripting (XSS) vulnerability in the JSupport (com_jsupport)
  component 1.5.6 for Joomla! allows remote attackers to inject arbitrary web
  script or HTML via the subject parameter (title field) in a saveTicket
  action to index2.php.  NOTE: some of these details are obtained from third
  party information.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 12:21:24 UTC 
Please ignore CVE-2010-4837, thanks.
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2011-10-09 08:56:24 UTC 
*** Bug 385493 has been marked as a duplicate of this bug. ***
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2011-10-09 09:05:03 UTC 
Bumped.

We need to think hard about an upgrade path from 1.5 to 1.7.  Officially this is done inside a Joomla installation, but we cannot propose that in Gentoo.
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-09 09:36:11 UTC 
Hi all, please check: http://developer.joomla.org/security/news/368-20110902-core-xss-vulnerability

There is no need security bug, because the affected version was masked in tree and 1.5 is not affected.