CVE-2023-40626 Topic is solved

[Webdongle]

https://developer.joomla.org/security-c ... ables.html Doesn't mention Joomla! 3.10.12 as being affected. But recommends updating to 3.10.14-elts.

Affected Installs

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0
Solution

Upgrade to version 3.10.14-elts, 4.4.1 or 5.0.1

Does this mean
a. Joomla! 3.10.12 is affected but was just a typo not including it in the Affected Installs
or
b Joomla! 3.10.12 is not affected?

[pe7er]

https://developer.joomla.org/security-c ... ables.html Doesn't mention Joomla! 3.10.12 as being affected.

Actually, that CVE states "Versions: 1.6.0-4.4.0, 5.0.0"
which I read as that all versions from 1.6.0 to 4.4.0, and 5.0.0 are affected.
So I suppose that Joomla 3.10.12 is affected as well...

[brian]

pe7er is correct - all versions

[Webdongle]

Ah. Cleaned my glasses I see it's a hyphen. Yeah threw me a little the hyphen in the 'Affected Installs' section but the word 'to' in the 'Solution' section. I need sleep been on the laptop 10 hours solid. Thanks for clarifying.

[Webdongle]

Someone sent me a link https://github.com/TLWebdesign/Joomla-3 ... per-hotfix

[tlweb]

Thanks for sharing my little plugin that patches this vulnerability

[gljoo]

To apply this patch, can I simply replace the LanguageHelper.php file found in /JoomlaInstallDir/libraries/src/Language/ with the one that can be downloaded from GitHub ?

[Webdongle]

Tap the 'Code' button
Download the zip and install Joomla admin Extensions >>> Install

[gljoo]

Hi @Webdongle, thanks for the clarification.

By manually replacing the LanguageHelper.php file, can I avoid installing the extension ?

It seems to me that the script.php file just replaces that file without making any other changes ...

[Webdongle]

Don't know I didn't write the code. I just did it the usual way for installing extensions.

[gljoo]

I did not install the plugin, but simply replaced the LanguageHelper.php file with the one that fixes the vulnerability and everything seems to be working properly.