Joomla — Secure and Latest Versions

Joomla
 
As a courtesy to our customers, we maintain a list of recent versions and the important security updates for Joomla. Generally, the most current version of your CMS is the most secure, but if you have an older version of your CMS, it can be hard to find information on whether your version is secure or not.
 
Bookmark this KB, and we will continue to update it with the most current secure version information.


What is the latest secure version of Joomla?

Joomla 3.6.5 — Security Update
Joomla 3.6.5 is a security release that addresses multiple vulnerability issues, including: issues with elevated privileges (High Priority), shell uploads (Low Priority), information disclosure (Low Priority), and additional security hardening. For more information on the 3.6.5 update, or each of these individual security issues, consult the official security release notes here.
 
Joomla 3.6.4 — Security Update
Joomla 3.6.4 is an important security update for the Joomla 3.x series that "addresses three critical security vulnerabilities and a bug fix for two-factor authentication," according to the official release. All three of these security vulnerabilities are rated as "High Priority" and directly impact the core, affecting Joomla 3.4.4 through 3.6.3. It is recommended that users of the Joomla platform update to mitigate these vulnerabilities on their sites. The vulnerabilities impact account creation, elevated privileges, and account modifications. For more information on these specific vulnerabilities, or details about the update as a whole, see the official release notes here.
 
Update: Joomla has released a revised assessment of the 3.6.4 security update impacting security advisory 20161002 (CVE-2016-8869). It was discovered a spoofed request could overwrite a user's account data. More information on this exploit and security advisory 20161003 can be found here.
 
Joomla 3.6.3 — Maintenance Update
Joomla 3.6.3 is a maintenance release to the Joomla 3.6.x series that fixes the major backwards compatibility break introduced in the 3.6.2 regression. Additionally, Joomla 3.6.3 addresses many improvements throughout the series. This release also updates the WYSIWYG editors TinyMCE to 4.4.3 and CodeMirror to 5.18.0. For a full list of items addressed, check out the GitHub repository for details of tracker items fixed. More information for the Joomla 3.6.3 update can be found in the official release notes here.
 
Joomla 3.6.2 — Maintenance Update
Joomla 3.6.2 is a maintenance release that fixes several bugs and issues identified in the 3.x series. Additionally, it addresses some minor recursions introduced in 3.6.1 in relation to email cloaking and sessions. Note that there are some known issues when updating from certain legacy versions to 3.6.1. If possible, it may be easier to skip 3.6.1 and update directly to 3.6.2. For more information on the Joomla 3.6.2 update, read the official release notes here.
 
Joomla 3.6.1 — Security Update
Joomla 3.6.1 is a security update that addresses a "medium level security issue" (20160803 Core - CSRF) that exists in Joomla 3.6.0 through 2.5.4. Additionally, in the first pass a recursion issue emerged when attempting to address the security issue. If you had already updated to Joomla 3.6.1 from 3.6.0 you can run the database fixer tool to delete the one file that has been removed. If you are otherwise updating directly, you will be fine as these files have been addressed.
 
Note that there were some difficulties identified in the update process that could necessitate migrating to 3.5.1 before you can upgrade to 3.6.0. It is recommended you read the release notes before making any large, full-version number updates. For more information about the 3.6.1 update, read the official release notes here.
 
Joomla 3.6 — Features Update
Joomla 3.6 is a full feature release with multiple improvements in performance. Among other things, this update to the 3.x series includes many UI improvements, new form field functions, simplified category creation, menu type ACL, and many more new features. For a full list of changes, check out the Git repository here; the official release announcement can be read here.
 
Joomla 3.5.1 — Maintenance Update
Joomla 3.5.1 is a bug fix for issues that have been identified in the Joomla 3.5x series. Some of the issues addressed and fixes made include: root url sometimes returning empty in canonical URLs, having to log in twice when user session expires, SMTP email optimizations, PHP errors with session restarts, and several other items. For more information on this update, see the official Joomla 3.5.1 release notes here.
 
Joomla 3.5 — Features Update
Joomla 3.5 is a full feature release with multiple improvements in performance. Among other things, improvements have been made to the following: anonymized data, system info expert, ability to add a user CSS file to Protostar, site and admin links to module user, article counts, random category blog and list order, optimizations to the toolbar, and the much requested drag and drop images feature. For more information on Joomla 3.5, read the official release notes here.
 
Joomla 3.4.8 — Maintenance Update
Joomla 3.4.8 is a maintenance update that fixes several minor bugs "related to session management from Joomla 3.4.7." This update does not contain any major security patches or new features. This a maintenance update only. For more information on this maintenance release, read the official announcement here.
 
Joomla 3.4.7 — Security Update
Joomla 3.4.7 is a security release that addresses two vulnerabilities, including a follow-up on a "critical security vulnerability" that was patched earlier. This version fixes a high priority session hardening vulnerability in the core, as well as a discovered SQL injection vulnerability rated as "low priority" by the Joomla team. For more information on these security updates, read the official announcement here.
 
Joomla 3.4.5 — Security Update
Joomla 3.4.5 is a security release addressing three main security issues that affect the core: a high priority SQL injection (affecting Joomla 3.2 through 3.4.4); a medium priority ACL violation (affecting Joomla 3.2 through 3.4.4); and another medium priority ACL violation (affecting Joomla 3.0 through 3.4.4). This is a security release only; no new features were added in this release. For more information on the issues corrected in the release, read the official announcement here.
 
Joomla 3.4.4 — Security Update
Joomla 3.4.4 is a security release for the 3.4.x series that fixes a cross-site scripting vulnerability rated as a "low priority" by the Joomla Security Team. This update also addresses further en-GB language cleanup; jQuery, HTML5Shiv and CodeMirror updates; and new changes to the Joomla codestyle rules. For more information on the update, read the official release announcement here.
 
Joomla 3.4.3 — Maintenance Update
Joomla 3.4.3 is a maintenance release for the 3.4.x series that addresses several issues, including: the renaming of the ClassLoader.php file; invalid field warning errors when saving, multilingual site extension issues, corrections to the batch model dropdown, and other issues. More info can be found on the 3.4.3 release announcement page here.
 
Joomla 3.4.2 — Security Update
Joomla 3.4.2 is a security release for the 3.4.x series.This release contains fixes for two "low level security issues" that are documented in the 3.4.2 FAQ here. More info can be found on the 3.4.2 release announcement page here.
 
Joomla 3.4.1 — Maintenance Update
Joomla 3.4.1 smooths out the long-awaited 3.4 release by addressing a issues introduced in that update. Particularly, 3.4.1 addresses "issues introduced in 3.4.0 with installing certain extensions and content languages access." More info can be found here.
 
Joomla 3.4 — Features Update
Joomla 3.4 is the long-awaited updated to the 3.x Joomla series. More than 700 bugs were resolved as part of the 3.4 development cycle. The new update includes a collapsible sidebar, extension beta testing, decoupled com_weblinks, front-end module editing, Google reCAPTCHA, and composer integration to make managing external dependencies easy. More information can be found on the official release page here.
 
Joomla 3.3.6 — Security Update
Joomla 3.3.6 is a security release that addresses a "high-priority" security issue in the core, as well as regressions introduced in the 3.3.5 update. According to the Joomla Security Team, "this release addresses an issue related to the core update component, one regression in the user password reset process, and adds a fallback upgrade mechanism for the update component." More information can be found here.
 
Joomla 3.3.3 — Maintenance Update
Joomla 3.3.3 is a maintenance release that addresses several issues introduced in the 3.3.2 update. According to the changelog notes, this update includes fixes for the cloak container error, class attributes, and several other maintenance fixes. If you are using 3.3.2, it is recommended to upgrade to 3.3.3 to fix the regressions introduced by that update. You can read more about the 3.3.3 update here

Joomla 3.3 — Maintenance Update
Joomla 3.3 introduces several new features into the Joomla core platform, including: improved password functionality, performance improvements, microdata use, optimized code, faster load speeds, security updates, and more than 115 additional bugs were fixed, as well. Joomla 3.2.4 was also released as a bridge update, due to the minimum PHP version being changed to 5.3.10. Full details on the Joomla 3.3 update and 3.2.4 bridge can be read here

Joomla 3.2.3 — Security Update
Joomla 3.2.3 is a security update that addresses several vulnerabilities, including multiple classified as "Medium Priority," and one that affects core SQL injection that has been declared a "High Priority" security issue by the Joomla team. Anyone running Joomla 3.2 is encouraged to immediately upgrade to the more secure version 3.2.3. For more information about this update, read the official Joomla 3.2.3 release notes here

Joomla 3.2.1 — Maintenance Update
Joomla 3.2.1 is a maintenance update only. There are no security fixes in this update. Joomla 3.2.1 resolves more than 125 bugs, including various lockout issues associated with the administrator login. Full info on Joomla 3.2.1 may be found here

Joomla 3.2 — Security Update
Joomla 3.2 stable release contains dozens of new features, including: content version control, several user interface improvements, expanded language support, increased security and authentication, and a new rapid development framework for extension coding. Full details on Joomla version 3.2.0 can be found here.

Joomla 3.1.5 — Security Update
This version of Joomla addresses a critical security issue that allowed the bypassing of certain file upload restrictions. The versions this security flaw applied to included Joomla 2.5.13 and earlier 2.5.x versions, and version 3.1.4 and earlier 3.x versions. Also included in 3.1.5 is a new administrator template, new front end Twitter Bootstrap template, improvements to Smart Search, and the new administrator statistics module. A full list of new features can be found here.

Joomla 2.5.6 — Maintenance Update
Joomla 2.5.6 has all of the features of Joomla 2.5, including Smart Search, User Notes, and improved SEO, but has worked out the bugs. It also has new features including the ability to copy a template, new implementation of Terms of Service, new features in module admin manager, multi-file upload, and more.

Joomla 2.5.5 to 2.0 — Insecure
These versions of Joomla have known security vulnerabilities and bugs, including tracker issues, privilege escalation, and inadequate permission checking. You should plan on upgrading to version 2.5.6.

Joomla 1.7.5 — Legacy
Joomla 1.7.5 has increased security updates from version 1.5. However, Joomla 1.7.5 is really only a placeholder for those who need more time to upgrade to version 2.5.6. Joomla 1.7.5 is no longer monitored by the Joomla! Security Strike Team (JSST). You should consider upgrading to version 2.5.6 in order to make the most of your Joomla website.
 
Joomla 1.7.4 and under — Insecure
These versions of Joomla have known bugs in statistics, extensions, plugins, and templates, and major security issues like problems with directory traversal, administrator panel vulnerabilities, and unauthorized access. The JSST no longer monitors versions 1.7.4 and under, so there will be no new security updates. Please upgrade your website as soon as possible to keep it secure and functioning well.  
 
 
Don't See Your Version Here? You Need To Upgrade
If you do not see your version of Joomla here, you should upgrade immediately for the latest security and performance benefits. Certain older versions of Joomla may contain critical security vulnerabilities.

Add Feedback