Need help with Joomla? We are available for hire to help with Joomla customization, upgrades, maintenance, and custom development.
Explore our services

[15-July-2026] Events Booking version 5.8.0 - Security Release

  • Tuan Pham Ngoc
  • Topic Author
  • Offline
  • Administrator
  • Administrator
More
10 hours 39 minutes ago - 4 hours 33 minutes ago #178977 by Tuan Pham Ngoc
Dear customers !

I’m happy to announce the release of Events Booking version 5.8.0! This release address two medium security issues found in the earlier versions:

1. Missing permission check result in leaking data

- This missing permission check allow un-authenticated users to get data from any Joomla user (Name, Email) base on the given User ID. The necessary check has been added to prevent this.

2. Missing CSRF token check on upload file

- The extension has an end point to allow registrants to upload file during registrations using ajax upload. The code in previous release does not have CSRF token check, this is now added to enhance security. Further more, I also added .htaccess to prevent direct access to files into this folder, just in case admin allows uploading php files by mistake. Also, addition check has been added so that if you do not use File custom field types, the upload end point will be disabled to prevent attackers from uploading files (to abuse server quota for some reasons).
- Additional checks below are implemented to prevent mass uploads attack (assume your site is on target of attack):

+ Reject unsafe files (files with unsafe file extensions, files contain code) for older Joomla version to make it works in the same way with security improvements implement in Joomla 6.1.2 File::upload method
+ Max Files Per Session: Limit maximum number of files which can be uploaded per session. By default, I set it to 100, you can change it in Events Booking -> Configuration if needed
+ Max Files Per Minutes: Limit maximum number of files which can be be uploaded per minutes. By default, I set it to 20. You can adjust it to a smaller value like 5 or 10 if needed.
+ Upload Folder Size Limit: If you worry that too many files can be uploaded which makes your hosting space becomes full, you can limit it to something like 1024MB (mean 1GB), or smaller size
+ Max Files In Upload Folder: If you worry that too many files can be uploaded, you can limit total number of files can be uploaded for your site via upload field types in Events Booking. For example, set it to 5000 files. 

Please update your site to this latest version of Events Booking to have the two issues fixed and more secure. We sincerely apologize for any inconvenience this may cause and appreciate your prompt attention to this matter.

I also would like to take this chance to thanks Phil from  mysites.guru/ for reporting the issues to us this afternoon, and discussing further about the second issue via email. Also, thanks David from JSST for joining the discussion, too.

Regards,

Tuan
Last edit: 4 hours 33 minutes ago by Tuan Pham Ngoc.

Please Log in or Create an account to join the conversation.

More
7 hours 39 minutes ago #178978 by Eric vanBok
Hello.

This update does not appear to fix the issues. Please look into this further so you can supply a proper fix. Thank you.

Eric

Please Log in or Create an account to join the conversation.

  • Tuan Pham Ngoc
  • Topic Author
  • Offline
  • Administrator
  • Administrator
More
7 hours 28 minutes ago #178979 by Tuan Pham Ngoc
Hi Eric

Could you please submit a support ticket provide me further information about this and we will discuss further about it.

Regards,

Tuan

Please Log in or Create an account to join the conversation.

  • Tuan Pham Ngoc
  • Topic Author
  • Offline
  • Administrator
  • Administrator
More
7 hours 26 minutes ago #178980 by Tuan Pham Ngoc
BTW, the current implementation is quite safe. But since the upload file is open for public users to upload files during their registration, if someone uses it to upload multiple files, there is no way for the system to prevent that. That is the same for any public forms which allow public users to upload files

Regards,

Tuan

Please Log in or Create an account to join the conversation.

  • Tuan Pham Ngoc
  • Topic Author
  • Offline
  • Administrator
  • Administrator
More
4 hours 31 minutes ago #178987 by Tuan Pham Ngoc
Just want to update that some additional checks were added to make field upload more secure (just in case someone uses upload end point to attack your site by mass upload), so if you updated Events Booking before 16:10pm, 15 July 2026, you might want to download latest package and update it to your site again

Regards,

Tuan

Please Log in or Create an account to join the conversation.