Quantum Manager ver.3.2.1 and ver.2.0.5 — Security Releases
Urgent update! The latest releases of Quantum Manager address two security vulnerabilities and include several bug fixes. All users are strongly advised to update to version 3.2.1 to ensure their installation remains secure and up to date.
Vulnerabilities Summary
1. Stored XSS in SVG file
| Description: | Prevented accidental execution of JavaScript scripts embedded in SVG files within the Quantum Manager admin panel (file previews are now replaced with placeholders). |
| Affected: | Versions 3.2.0 and all previous versions |
| Solution: | Do not allow to execute stored XSS attacks. There is a default thumbnail for all SVG images due to security reason. |
We plan to create raster preview thumbnails of vector files through Imagemagick library in the future versions of Quantum Manager.
2. Stored XSS by the malicious file name
| Description: | Fixed file extension filtering in filenames. |
| Affected: | Version 3.2.0 and all previous versions |
| Solution: | All extraneous characters are now securely filtered. |
Since these issues affect site security, we have prepared two versions: one for Joomla 5 and Joomla 4, and an additional version for Joomla 3 (intended for the obsolete release of Quantum Manager 2.0.4, for those who still maintain sites on Joomla 3).
Note: Please update Quantum Manager to version 3.2.1 for Joomla 5 / Joomla 4 and install Quantum Manager version 2.0.5 for Joomla 3 (security issues fixes only).
We would like to thank Sebastian J., and Joomla VEL Team for assistance.
Version 3.2.1 Changelog (Joomla 5/4)
- Fixed. Vulnerability. Stored XSS by the malicious file name.
- Fixed. Vulnerability. File extension filtering in filenames. All extraneous characters are now securely filtered.
- Fixed. Colours did not change correctly in the Dark Mode of the Joomla Administrator Panel template.
- Fixed. Wrong URL to documentation when clicking on 'Help' button in toolbar.
- Fixed. Wrong URL to settings if Joomla is installed in subfolder or on localhost.
Version 2.0.5 Changelog (Joomla 3)
- Fixed. Vulnerability. Stored XSS by the malicious file name.
- Fixed. Vulnerability. File extension filtering in filenames. All extraneous characters are now securely filtered.
Download version 2.0.5 for Joomla 3 (security patches only). Please note this version of Joomla is obsolete and it is highly recommended to migrate to the actual version of Joomla.
If you like Quantum Manager, please share your opinion by writing a review at the Joomla Extensions Directory or on TrustPilot and support the project.
