Jun 30, 2011 05:13 GMT  ·  By

The Joomla Project has released a new version of its popular CMS platform in order to address four security vulnerabilities and two other bugs.

The new Joomla 1.6.4 version contains patches for two cross-site scripting (XSS) vulnerabilities, one unauthorized access issue and an information disclosure weakness.

The XSS flaws are rated as medium severity and were reported by Mesut Timur and Aung Khant on March 24 and May 25 respectively.

Cross-site scripting is a common type of vulnerability that results from improper filtering of user input in forms and can result in unauthorized code being injected into pages.

There are several types of XSS vulnerabilities with persistent (stored) being the most dangerous ones because the code injection is permanent.

Meanwhile, reflected XSS weaknesses can only be exploited by tricking victims to open maliciously-crafted URLs. The Joomla advisories don't specify the type of cross-site scripting flaws.

The unauthorised access issue is caused by inadequate permission checking and is also rated as medium severity. It was reported by Mark Dexter on June 10.

The information disclosure vulnerability is rated with low severity and is credited to Aung Khant, who reported it on May 25.

"In version 1.6.4 a security fix was made to a number of layout files, specifically those for category lists for articles, weblinks, newsfeeds and contacts and the featured contact list.

"If you are using layout overrides for these you should ensure that you make the same changes are made in your template (if the same issue is present)," the Joomla development team writes in an advisory.

In addition to the security content, Joomla 1.6.4 also contains fixes for two bugs in the upgrade procedure, one regarding the automatic database update process and one concerning the removal of files during the update from 1.6.2 to 1.6.3.

The latest version of Joomla can be downloaded from here.