{jssocials}

Introduction

The Kunena team has announce the arrival of Kunena 5.0.14 [K 5.0.14] which is now available for download as a native Joomla extension for J! 3.8.x. This version addresses most of the issues that were discovered in K 5.0 and issues discovered during the development stages of K 5.0. This is a Security release.

This will be the last K5.0.x version.

The key distinctions of K 5.0.14 are:

  • XSS - High vulnerability
  • 3 bugs fixed
  • 3 enchaments
  • Find the full changes: Here.

Update instructions

Because K5.0 has depricated the old templates, you should do a backup first (files and database). After the update. You need to recheck the settings. Kunena Configuration and on the template itself (template manager - click on the template name).

Upgrading to K 5.0 involves changes that may affect Kunena's interoperability with other extensions installed on your site. For this reason it is advisable that you first test K 5.0.14 on a test site before you upgrade your live production site(s). At this stage the team is not treating interoperability with other Joomla extensions as the topmost priority. The main priority at this time is about installation/upgrade and operability as a standalone Joomla component.

K 5.0.14 is available for download on the download page.



Changes


XSS - High vulnerability

[20180313] - Core - Session

• Project: Kunena
• SubProject: Forum Core
• Severity: HIGH
• Versions: 3.0 through 5.0.13
• Exploit type: XSS
• Reported by: Sanity
• Reported Date: 2018-03-13
• Fixed Date: 2018-03-13
• Release Date: 2018-03-14
• Joomla VEL: Joomla Vel

Description:
There is a XSS vulnerability on session.

Affected Installs

Kunena versions 3.0.0 through 5.0.13. (Kunena 5.1 is not affected)

Solution

Upgrade to version 5.0.14 or use 5.1.0 RC3.

Contact

This email address is being protected from spambots. You need JavaScript enabled to view it..


Donate

Kunena is open source and free to use. We love providing one of the best forum out there, and don't expect to be paid for it. That said, projects like this have costs involved such as hosting and licenses. If you feel you have benefited from Kunena, and are able to do so, we would love your contribution. If you don't have the money to donate, then don't use any adblocker on our website. This will help us with the advertisements.

Log in to comment

810 replied the topic:
6 years 1 week ago
810's Avatar
Its the cache of the browser, on the dashboard of joomla. Do ctrl + f5
this will recheck the updates.
rich replied the topic:
6 years 1 week ago
rich's Avatar
Should be displayed, but you can it install also via the Joomla installer.
NeilT replied the topic:
6 years 2 weeks ago
NeilT's Avatar
The update is not showing within the Joomla update notice? Is this a manual update?
810 replied the topic:
6 years 2 weeks ago
810's Avatar
fixed
ruud replied the topic:
6 years 2 weeks ago
ruud's Avatar
download link for the language files points to the wrong package (kunena package instead of language package) :)
810 replied the topic:
6 years 2 weeks ago
810's Avatar
ok, changed.
Sanity replied the topic:
6 years 2 weeks ago
Sanity's Avatar
Hello 810,

As the original reporter of this issue I have to tell you it has nothing to do with "XSRF".
The request requires an CSRF-Token so there is no exploiting with "XSRF".
This vulnerability should be higher categorized than "XSRF".

Best regards,
Sanity