Joomla! 3.4.6 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and 4 low level security vulnerabilities. We strongly recommend that you update your sites immediately.

This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.5 release.

What's in 3.4.6

Version 3.4.6 is released to address four reported security vulnerabilities and includes security hardening of the user password reset system.

Security Issues Fixed

• High Priority - Core - Remote Code Execution (affecting Joomla 1.5 through 3.4.5) More information »
• Low Priority - Core - CRSF Hardening (affecting Joomla 3.2.0 through 3.4.5) More information »
• Low Priority - Core - Directory Traversal (affecting Joomla 3.2.0 through 3.4.5) More information »
• Low Priority - Core - Directory Traversal (affecting Joomla 3.4.0 through 3.4.5) More information »

Please see the documentation wiki for FAQ’s regarding the 3.4.6 release.

Download

Joomla 1.5 and 2.5

Joomla does not release updates for EOL versions however we have made patches available for download which can be found at https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions.

A Huge Thank You!

Thank you to the Joomla Security Strike Team for their swift resolution of this issue. Thanks to Brian Teeman for testing the 1.5 and 2.5 patches.

Joomla Security Strike Team

A big thanks to the Joomla Security Strike Team for their ongoing work to keep Joomla secure. Members include: Matias Aguirre, Michael Babker, Beat B., Mark Boos, Marco Dings, Matias Griese, Thomas Hunziker, David Jardin, Alan Langford, Jean-Marie Simonet, Phil Taylor, Viktor Vogel, George Wilson, Davide Tampellini

Security Team Leadership: Viktor Vogel, Coordinator

Image Credit: Chiara Aliotta and Helvecio Da Silva