[20191202] - Core - Various SQL injections through configuration parameters

  • Project: Joomla!
  • SubProject: CMS
  • Impact:High
  • Severity:Low
  • Versions: 2.5.0 - 3.9.13
  • Exploit type: SQL injection
  • Reported Date: 2019-December-01
  • Fixed Date: 2019-December-17
  • CVE Number:CVE-2019-19846

Description

The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.

Affected Installs

Joomla! CMS

versions 2.5.0 - 3.9.13

Solution

Upgrade to version 3.9.14

Contact

The JSST at the Joomla! Security Centre.

Reported By: ka1n4t