The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
Joomla! CMS versions 2.5.0 through 3.9.2
Upgrade to version 3.9.3
The JSST at the Joomla! Security Centre.
Inadequate parameter handling in JS code could lead to an XSS attack vector.
Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS.
"No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog.
A combination of specific webserver configurations, in connection with specific file types and browserside mime-type sniffing causes a XSS attack vector.
Joomla! CMS versions 1.0.0 through 3.9.2