Joomla’s latest release addresses over 40 bugs, four of which are security issues.
The list of vulnerabilities includes a high-priority core SQL injection, a couple of medium-priority cross-site scripting (XSS) issues, and one medium-priority unauthorized login flaw.
The SQL Injection vulnerability, caused by inadequate escaping, impacts versions 3.1.0 through 3.2.2. The issue first came to light to the Joomla! Security Center on February 6.
One of the XSS flaws impacts “com_contact” in version 3.1.2 through 3.2.2. The vulnerability ended up reported earlier this month. The second XSS, reported on March 5, affects variants 2.5.18 and earlier 2.5.x versions, and 3.2.2 and earlier 3.x versions.
The unauthorized logins bug refers to inadequate checking that could have undergone exploitation via Gmail authentication. The affected versions are 2.5.18 and earlier 2.5.x, and 3.2.2 and earlier 3.x releases. The vulnerability ended up reported on February 21.
CVE identifiers are pending for all the fixed security holes.
Users should update their installations immediately to Joomla 3.2.3. The latest release ended up created and tested by dozens of individuals. A complete list of names is available on the Joomla website.