Threat Analysis - Joomla Security Announcement [20250301] / CVE-2025-22213

On March 11, 2025 the Joomla! Security Strike Team released security announcement 20250301 along with updates for Joomla 4 and 5. The threat has been described as follows:

Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.

Reported Impacted Versions: 4.0.0-4.4.11 / 5.0.0-5.2.4 

Joomla 3 Threat Analysis: This issue does not impact Joomla 3 versions. The Joomla 3 media manager is verified to block unsafe/unsupported media uploads.

Featured

Status update - March 2025.

All systems have officially moved from beta. Again, thank you to everyone who has helped prepare the website, organize support services, provide admin help, and systems testing. We'd like to provide a quick status update.

New Release: The team has prepared and released v3.10.21-ljp. This release is currently being distributed via our live update servers. This is a maintenance patch updating the system root CA bundles to latest release from Mozilla.

Note: This is a maintenance release and not considered a security patch. These changes will be released to the public repository, along with any additional updates, in the April quarterly public release.

Project/System Notes:

Subscriber Portal: Core subscription management system is in full release Current payment processing is through PayPal. There are things we do not like about the Paypal-side interface. We are looking at alternate service providers to improve user experience.

We continue to focus is on improving mobile layouts, expand support resources, and improve general subscriber portal experience.

 

As things continue to progress, we will provide updates here on the blog.

Status update - Feb 2025.

First. A big thank you to everyone who has helped prepare the website, organize support services, provide admin help, and test systems. We'd like to provide a quick status update as we move into final beta testing and approach official launch. Below are more details about the status of project components.

Public website: basic information, signup systems, and contact functions are up and running. If this is being seen, we have added a public blog. Current focus is on improving mobile layouts; particularly improving the experience on extremely small displays.

Subscriber Portal: Core subscription management system is up and running in full beta. Payment processing through PayPal is sandbox verified, live tested, and in full-functioning public beta. Current focus is on improving mobile layouts, particularly in subscriber support pages. We are also working to expand support resources and improve general portal experience.

Update Server: Core update server has been in internal beta testing since early January 2025. Update server status is full public beta. Integration with public subscription services are complete and also in full public beta.

Internal Controls: Live threat monitoring policies and administrative procedures are in place and staff is prepared to begin daily monitoring. Internal policies and processes for threat escillation/resolution and production are in final review.

As things progress we will continue provide project updates here on the blog.

The Legacy Joomla Project is a third-party support service sponsored by KB Systems, llc and is not affiliated with official Joomla! projects or Open Source Matters. Any trademarks pertaining to Joomla! are exclusively owned by Open Source Matters and utilized for the purpose of describing goods or services supporting deployed installations of the Joomla! CMS.