Skip to main content
Blog
Joomla 5.2.3 security and bugfix release
Subscribe to our newsletter!

Joomla 5.2.3 security and bugfix release

On Tuesday, January 7, 2025, Joomla 5.2.3 was released. This is a security and bugfix release that resolves three security issues in Joomla 5.x. 

Resolved security issues

With this security update, three security issues are resolved:

  • [20250101] - Core - XSS vectors in module chromes
    Various module chromes did not process input correctly.
  • [20250102] - Core - XSS vector in the id attribute of menu lists
    Lack of output escaping in the id attribute of menu lists.
  • [20250103] - Core - Read ACL violation in multiple core views
    Incorrect access control allows access to protected views.

Resolved bugs

With this 5.2.3 update, some bugs are resolved:

  • Fix joomlaExtButtons TinyMCE plugin, buttons validation (#44507)
  • Email Validation apostrophe (#44527)
  • Set correct AssetTitle and AssetParentId (#42493)
  • Remove empty images and anchors from mod articles_news (#42493), mod articles_category (#44478) and (#44475)
  • Remove wrong class in cancel link in add verification code frontend page (#44473)
  • Allow multiselect for checkboxes (#44500)
  • Postgres and finder suggestions (#44384)
  • Pre-update check for extensions AllowDynamicProperties (#44307)
  • Fix PHPCS nullable parameter (#44543)
  • Fix double closing curly braces in inline style (#44532)
  • Uncaught TypeError: can't access property "getAttribute", toggleButton is null (#44555)
  • Plugins: Search not case-insensitive for unicode language (#44525)
  • Fix increment on non-alphanumeric string deprecation (#44173)
  • User: Don't reset newly set requireReset (#44519)
  • CoreButtonsTrait back() generates wrong button text (#44509)
  • Tags: Make router discover 404s properly (#44540)
  • Catch exception to get the user in the action log model (#44358)
  • Fix return typehint in IdentityAware trait (#44567)
  • Composer update joomla/application to 3.0.3 to fix PHP deprecations in Web Client (#44585)
  • User: Allow MFA before password reset (#44521)
  • Fix duplicate entry with the action logs by removing the second call to onJoomlaAfterUpdate (#44629)
  • [CLI] extension:remove -n option "Invalid Response" fix (#44546)
  • Privacy: Allow MFA and invalid privacy consents (#44522)
  • Refresh changelog URL on manifest cache refresh (#44565)

A detailed overview of the resolved bugs is available on the official Joomla GitHub repository: https://github.com/joomla/joomla-cms/milestone/135?closed=1

Do you need support with updating or migrating to Joomla 5.2? Then contact us.

Other articles

New website,
website optimisation,
website support or
training needed?

Nijmegen Office

db8 Website Support
Galiciestraat 35
6663 NR Lent
The Netherlands

+31 85 301 48 28
support at db8 dot nl
+31 6 44 214 500 (urgent)

Opening hours

By appointment
Monday to Friday
09:00 - 17:00 (5pm)
(Time zone: Central European Time)

Acquisition is
not appreciated

© db8.nl. All rights reserved.