On 21 December 2015, the Joomla project announced a new security vulnerability affecting all current versions of Joomla 1.5 through 3.4.6.

This vulnerability builds on a similar security issue patched one week ago and we recommend that all Joomla websites update immediately. 

Updating Joomla 3 sites

We strongly advise you to update any Joomla 3 site to the latest 3.4.7 version without delay. You can do this via the Watchful dashboard or on each of your website backends using the built-in  Joomla Updater.

Updating Joomla 1.5 and 2.x sites

Once a version of Joomla reaches the end-of-life (EOL) stage of development, the development team no longer releases official updates. However, if critical security bugs are identified, users may manually apply unofficial and unsupported fixes (via FTP for example).

To simplify the process of applying updates for EOL Joomla versions, we’ve prepared security patches that users can install directly from the Joomla backend. To use them:

1. Backup your site(s).
2. Download the installable EOL patches (updated today for the latest vulnerability).
3. Websites running Joomla 1.5 or 2.5 must first update to the latest versions — Joomla 1.5.26 (instructions) and 2.5.28 (instructions).
4. Install the EOL patches via the in the  Joomla installer of each site individually. Watchful users may use the Remote Installer to update all of their Joomla 1.5 and 2.5 sites at once.