Now updated with changes made in Jan 2025 (Joomla 3.10.20-elts)
Today, 7th Jan 2025, the Joomla project announced that the end of life Joomla 3 series has a further three security vulnerabilities that they have decided to make public – but how to apply those fixes on 1000 Joomla 3 sites?
We all know Joomla 3 is now end of life, but how to fix Joomla 3 security issues still being found without going crazy?
How to fix Joomla 3 security issues? Easily with mySites.guru ONE CLICK tool!
This new tool, as part of the Ultimate Tools for Joomla in the mySites.guru service is hosted in the Site Snapshot.
We provide all the security fixes for Joomla 3 – keeping your site secure!
The tool only runs on Joomla 3 versions – that is the last officially released public version of the Joomla 3 series – ignoring the commercial ELTs scam scheme.
The mySites.guru one click tool displays the number of files that we have determined are not yet patched and gives you the ability to one click fix that site by allowing us to patch the Joomla 3.10.12 files for you.
There are currently 55 files that need modifying since Joomla 3.10.12 was released, to make Joomla 3.10.12 as secure as possible, addressing all known security issues known at this time.
Where can I find this tool to fix my Joomla 3 security issues?
You can use the Command Palette cmd k and search for find all, or you can view the tool in the Joomla Configuration section of the Snapshot on your Manage Joomla Site page in your mySites.guru account.
This will lead you to the site tool overview page that lists all your Joomla 3.10.12 websites and shows their patch status.
What are the known security issues this fixes?
Well, the ones that are known are quite minor really. There is nothing that is going to get your site hacked right away while you sleep, but there are some minor issues that you should resolve with the security patch in mySites.guru so that you can be sure that your Joomla 3 site is fully protected from all known security issues.
There are known issues with Cross Site Scripting in media selection fields and mail address output – an open redirect in installation (which should never be on a live site anyway!), an insufficient session expiration issue when saving MFA for users and an exposure of environment variables in a fringe edge case.
Specifically, which Joomla 3 security issues can mySites.guru fix?
- Fixes in Joomla 3.10.19-elts that fix the broken code released in the 3.10.18-elts release
- Fixes in Joomla 3.10.18-elts that fix the broken code released in the 3.10.17-elts release
- CVE-2024-27184 – [20240801] – Core – Inadequate validation of internal URLs
- CVE-2024-27185 – [20240802] – Core – Cache Poisoning in Pagination
- CVE-2024-40743 – [20240805] – Core – XSS vectors in Outputfilter::strip* methods
- CVE-2024-21731 – [20240703] – Core – XSS in StringHelper::truncate method
- CVE-2024-26279 – [20240704] – Core – XSS in Wrapper extensions
- CVE-2024-26278 – [20240705] – Core – XSS in com_fields default field value
- CVE-2024-21726 – Inadequate content filtering within the filter code
- CVE-2024-21724 – XSS in media selection fields.
- CVE-2024-21725 – XSS in mail address outputs
- CVE-2024-21723 – Open redirect in installation application.
- CVE-2024-21722 – Insufficient session expiration in MFA management views.
- CVE-2023-40626 – Exposure of environment variables.
- CVE-2024-40747 – XSS vectors in module chromes
- CVE-2024-40748 – XSS vector in the id attribute of menu lists
- CVE-2024-40749 – Read ACL violation in multiple core views
The following is the list of files that the mySites.guru tool will modify for you:
- administrator/components/com_config/model/form/application.xml
- administrator/language/en-GB/en-GB.com_config.ini
- components/com_content/views/archive/view.html.php
- components/com_finder/views/search/view.html.php
- components/com_search/views/search/view.html.php
- libraries/src/Cache/Cache.php
- libraries/src/Pagination/Pagination.php
- administrator/components/com_banners/models/forms/banner.xml
- administrator/components/com_categories/models/forms/category.xml
- administrator/components/com_config/model/form/application.xml
- administrator/components/com_contact/config.xml
- administrator/components/com_contact/models/forms/contact.xml
- administrator/components/com_content/models/forms/article.xml
- administrator/components/com_fields/models/forms/field.xml
- administrator/components/com_menus/models/forms/item_alias.xml
- administrator/components/com_menus/models/forms/item_component.xml
- administrator/components/com_menus/models/forms/item_heading.xml
- administrator/components/com_menus/models/forms/item_separator.xml
- administrator/components/com_menus/models/forms/item_url.xml
- administrator/components/com_menus/models/forms/itemadmin_alias.xml
- administrator/components/com_menus/models/forms/itemadmin_component.xml
- administrator/components/com_menus/models/forms/itemadmin_container.xml
- administrator/components/com_menus/models/forms/itemadmin_heading.xml
- administrator/components/com_menus/models/forms/itemadmin_url.xml
- administrator/components/com_newsfeeds/models/forms/newsfeed.xml
- administrator/components/com_tags/models/forms/tag.xml
- administrator/components/com_users/models/user.php
- administrator/language/en-GB/en-GB.lib_joomla.ini
- administrator/templates/hathor/templateDetails.xml
- administrator/templates/isis/templateDetails.xml
- components/com_content/models/forms/article.xml
- components/com_tags/views/tag/tmpl/default.xml
- components/com_tags/views/tag/tmpl/list.xml
- components/com_tags/views/tags/tmpl/default.xml
- components/com_users/models/profile.php
- components/com_users/views/login/tmpl/default.xml
- components/com_wrapper/views/wrapper/tmpl/default.xml
- includes/framework.php
- libraries/cms/html/string.php
- libraries/fof/download/adapter/cacert.pem
- libraries/src/Form/Rule/UrlRule.php
- libraries/src/Http/Transport/cacert.pem
- libraries/src/Language/LanguageHelper.php
- libraries/src/Uri/Uri.php
- libraries/vendor/joomla/filter/src/InputFilter.php
- libraries/vendor/joomla/filter/src/OutputFilter.php
- libraries/src/Pagination/Pagination.php
- modules/mod_custom/mod_custom.xml
- modules/mod_wrapper/mod_wrapper.xml
- plugins/user/profile/profile.php
- templates/beez3/templateDetails.xml
- templates/protostar/templateDetails.xml
- components/com_privacy/controller.php
- components/com_privacy/privacy.php
- components/com_users/controller.php
- components/com_users/users.php
- modules/mod_menu/tmpl/default.php
A lot of these files are XML files, which set new validations for the filters. Changing the XML files alone is not enough to secure your site, they work in conjunction with the changes in the PHP files.
What happens if I set this tool to not ok/red with the toggle?
We will revert the files to the Joomla 3.10.12 version of that file, reintroducing the security issue that was previously resolved by patching.
How can I fix my Joomla 3 security issues?
You can simply login to mySites.guru, click Manage Site next to your Joomla 3.10.12 site, and then on the Snapshot tab scroll down and look for
Fix All Known Joomla 3 End Of Life Security Issues
and then click the toggle next to it to patch your site with a single click
What if I have many Joomla 3.10.12 sites that need patching?
Simple, click the square button next to the toggle – it looks like this:
That button will lead you to a list of all your Joomla 3.10.12 websites where you can see an overview of their patch status, and more toggles to activate to patch your sites – simple!
The direct URL to that page is:
https://manage.mysites.guru/en/tools/allsites/Joomla/joomlaconfiguration/joomla3eol
How does mySites.guru fix Joomla 3 security issues?
The mySites.guru connector on your site knows about the status of your files, and when you toggle the tool in mySites.guru we will compare the md5 hash of your 36 files to the expected md5 hash of the secured patched versions.
If they differ then mySites.guru will attempt to replace the old files with the new patched version.
How will I know what the changes are?
The mySites.guru audit will so all patched files as Core File Changes in the main audit tools. This is because they ARE changes to the default Joomla 3.10.12 distributed versions.
Why are you talking about Joomla 3 when Joomla 4 and 5 are out?
There are still tens of thousands of sites still running Joomla 3.
1.4% of the internet still runs Joomla 3.x Joomla! CMS (All versions combined) powers 1.7% of all websites on the internet)
W3Tech.com
These all need protecting against new vulnerabilities found and as all Digital Agency dashboard owners know, moving customers across versions – with large incompatible upgrades – takes time, budgets and sometimes never happens.
The very latest Joomla Usage Statistics show that Joomla 3.10.x is being used over 35% of the time.
Conclusion
The new toggle switch in the mySites.guru service will allow you to apply all the known patches to all the known security issues in Joomla 3 at any given time
That way you can sleep sound in the secure knowledge that your end of life Joomla 3 sites are slightly more secure than Joomla 3.10.12
Of course, you should have already been planning or implementing your move to Joomla 4…. and onwards to Joomla 5 right? … you are doing that right? oh… never mind then …
What is the Joomla 3.10.999 Project?
The Joomla 3.10.999 project can be seen at https://github.com/PhilETaylor/Joomla3.10.999
The github repo contains every Joomla 3.10 version starting with the Joomla 3.10.12 version that was the last officially supported version of Joomla 3 series.
It also contains diff’s for all the additional patches released under the commercial eLTS scam that the Joomla project (badly) run.
It will be maintained for many years to come, and is a fountain of truth of the changes made in eLTS versions to address security issues – it is maintained, and consumed by the mySites.guru project internally.
It is the latest in the 999 projects like the Joomla 1.5.999 and Joomla 2.5.999 repositories.
Last updated on January 7th, 2025