On 21 December 2015, the Joomla project announced a new security vulnerability affecting all current versions of Joomla 1.5 through 3.4.6.
This vulnerability builds on a similar security issue patched one week ago and we recommend that all Joomla websites update immediately.
Updating Joomla 3 sites
We strongly advise you to update any Joomla 3 site to the latest 3.4.7 version without delay. You can do this via the Watchful dashboard or on each of your website backends using the built-in Joomla Updater.
Updating Joomla 1.5 and 2.x sites
Once a version of Joomla reaches the end-of-life (EOL) stage of development, official updates are no longer released. However, if critical security bugs are identified, unofficial and unsupported fixes may be applied manually (via FTP for example).
To make it easier to apply updates for EOL Joomla versions, we’ve prepared security patches that may be installed from the Joomla backend. To use them:
- Backup your site(s).
- Download the installable EOL patches (updated today for the latest vulnerability).
- Websites running Joomla 1.5 or 2.5 must first be updated to the latest versions — Joomla 1.5.26 (instructions) and 2.5.28 (instructions).
- Install the EOL patches via the in the Joomla installer of each site individually. Watchful users may use the Remote Installer to update all of their Joomla 1.5 and 2.5 sites at once.