Affected Joomla! Versions 4.0.0 – 4.2.7
Joomla! 4.2.8 is now available. This is a security release for the 4.x series of Joomla! which addresses a critical security vulnerability in the web services API. We strongly recommend that you update your sites immediately.
This release only contains the security fix; no other changes have been made compared to the Joomla! 4.2.7 release.
After the release, we strongly advise you to renew the passwords for all credentials that are stored in the global site configuration, namely:
- database
- SMTP
- Redis
- HTTP proxy
The issue has been reported in a responsible disclosure process, there have been no signs of exploitation on public sites.
update 18 February 2023:
Moments after the update was published we have seen active searches for vulnerable websites and hacking attempts. Servers being infected have started searches for other infected machines. If you did not update yet, make it your #1 task for today.
Security issue fixed with 4.2.8
[20230201] – Core – Improper access check in webservice endpoints
More Information
Where can I download Joomla 4.2.8?
On the Downloads site, of course ๐ Upgrade can be found here.
Full article can be found on the Joomla! website here.
Searching for the vulnerability and see if you are affected can be done if you have a dedicated server, a write up on this can be found here: https://www.dionysopoulos.me/joomla-428-security-fix-not-end-of-world.html
