Security update for Joomla
The Joomla developers have announced the release of version 1.5.13 of their content management system (CMS). The security update addresses a critical vulnerability in the Tiny browser included with the TinyMCE 3.0 editor that could allow files to be uploaded or removed without a user needing to be logged in. Version 1.5.12 is affected. Additional details, however, have not been provided.
A moderate cross site scripting (XSS) issue has also been fixed that could cause some files to miss the JEXEC check, causing scripts to expose internal path information to the host. All 1.5.x versions up to and including 1.5.12 are affected. The 1.5.13 update addresses both of the issues.
In addition to fixing the security problems, the update includes 26 bug fixes. The developers advise all users to upgrade immediately.
- Core - File Upload, security advisory from Joomla.
- Core - Missing JEXEC Check, security advisory from Joomla.