Alert GCSA-22042 - Aggiornamento di sicurezza per Joomla!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************************************************************

alert ID: GCSA-22042
data: 05 aprile 2022
titolo: Aggiornamento di sicurezza per Joomla!

******************************************************************

:: Descrizione del problema

Sono state rilasciate nuove versioni del CMS Joomla!
con le quali vengono corrette 9 vulnerabilita' di sicurezza,
inoltre sono stati risolti alcuni bug e sviluppati dei miglioramenti.

[20220301] - Core - Zip Slip within the Tar extractor
[20220302] - Core - Path Disclosure within filesystem error messages
[20220303] - Core - User row are not bound to a authentication mechanism
[20220304] - Core - Missing input validation within com_fields class inputs
[20220305] - Core - Inadequate filtering on the selected Ids
[20220306] - Core - Inadequate validation of internal URLs
[20220307] - Core - Variable Tampering on JInput $_REQUEST data
[20220308] - Core - Inadequate content filtering within the filter code
[20220309] - Core - XSS attack vector through SVG

Maggiori dettagli sono disponibili alla sezione "Riferimenti".


:: Software interessato

Joomla! versioni precedenti alla 3.10.8
Joomla! versioni precedenti alla 4.1.2

Le versioni Joomla 3.10.8 e 4.1.2 contengono tutte le patch di sicurezza
delle versioni 3.10.7 e 4.1.1 ad eccezione della patch 20220303 che
e' stata rimossa a causa di un problema di implementazione.

Se sono state installate le versioni 3.10.7 o 4.1.1 ed il super user di backend
(/administrator) ha difficolta' di accesso, leggere le seguenti FAQ
https://docs.joomla.org/J3.x:After_going_to_4.1,1_or_3.10.7_some_users_can%27t_login_anymore


:: Impatto

Esecuzione remota di codice arbitrario (RCE)
Denial of Service (DoS)
Cross Site Scripting (XSS)
SQL Injection (SQLi)
Bypass delle funzionalita' di sicurezza (SFB)


:: Soluzioni

Aggiornare alla versione 3.10.8 o 4.1.2

https://downloads.joomla.org/
https://downloads.joomla.org/cms/joomla3/3-10-8
https://downloads.joomla.org/cms/joomla4/4-1-2
https://downloads.joomla.org/latest

Joomla! update instructions
https://docs.joomla.org/J3.x:Updating_from_an_existing_version/it
https://docs.joomla.org/Portal:Upgrading_Versions/it


:: Riferimenti

Joomla! Release News
https://www.joomla.org/announcements/release-news/5858-joomla-4-1-2-and-3-10-8-release.html

Joomla! Security Announcements
https://developer.joomla.org/security-centre.html
https://developer.joomla.org/security-centre/870-20220301
https://developer.joomla.org/security-centre/871-20220302
https://developer.joomla.org/security-centre/872-20220303
https://developer.joomla.org/security-centre/873-20220304
https://developer.joomla.org/security-centre/874-20220305
https://developer.joomla.org/security-centre/875-20220306
https://developer.joomla.org/security-centre/876-20220307
https://developer.joomla.org/security-centre/877-20220308
https://developer.joomla.org/security-centre/878-20220309

Mitre CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23801


GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCYkwRDwAKCRDBnEyTZRJg
QnSuAJ4svLg4sOndQcZhi+jGfmIICiNHUACgkpj/4MyuIDizT+GaPNehWzrDwYg=
=sGfL
-----END PGP SIGNATURE-----