Need help with Joomla? We are available for hire to help with Joomla customization, upgrades, maintenance, and custom development.
Explore our services [15-July-2026] Events Booking version 5.8.0 - Security Release
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
Less
More
3 days 14 hours ago - 3 days 8 hours ago #178977
by Tuan Pham Ngoc
[15-July-2026] Events Booking version 5.8.0 - Security Release was created by Tuan Pham Ngoc
Dear customers !
I’m happy to announce the release of Events Booking version 5.8.0! This release address two medium security issues found in the earlier versions:
1. Missing permission check result in leaking data
- This missing permission check allow un-authenticated users to get data from any Joomla user (Name, Email) base on the given User ID. The necessary check has been added to prevent this.
2. Missing CSRF token check on upload file
- The extension has an end point to allow registrants to upload file during registrations using ajax upload. The code in previous release does not have CSRF token check, this is now added to enhance security. Further more, I also added .htaccess to prevent direct access to files into this folder, just in case admin allows uploading php files by mistake. Also, addition check has been added so that if you do not use File custom field types, the upload end point will be disabled to prevent attackers from uploading files (to abuse server quota for some reasons).
- Additional checks below are implemented to prevent mass uploads attack (assume your site is on target of attack):
+ Reject unsafe files (files with unsafe file extensions, files contain code) for older Joomla version to make it works in the same way with security improvements implement in Joomla 6.1.2 File::upload method
+ Max Files Per Session: Limit maximum number of files which can be uploaded per session. By default, I set it to 100, you can change it in Events Booking -> Configuration if needed
+ Max Files Per Minutes: Limit maximum number of files which can be be uploaded per minutes. By default, I set it to 20. You can adjust it to a smaller value like 5 or 10 if needed.
+ Upload Folder Size Limit: If you worry that too many files can be uploaded which makes your hosting space becomes full, you can limit it to something like 1024MB (mean 1GB), or smaller size
+ Max Files In Upload Folder: If you worry that too many files can be uploaded, you can limit total number of files can be uploaded for your site via upload field types in Events Booking. For example, set it to 5000 files.
Please update your site to this latest version of Events Booking to have the two issues fixed and more secure. We sincerely apologize for any inconvenience this may cause and appreciate your prompt attention to this matter.
I also would like to take this chance to thanks Phil from mysites.guru/ for reporting the issues to us this afternoon, and discussing further about the second issue via email. Also, thanks David from JSST for joining the discussion, too.
Regards,
Tuan
I’m happy to announce the release of Events Booking version 5.8.0! This release address two medium security issues found in the earlier versions:
1. Missing permission check result in leaking data
- This missing permission check allow un-authenticated users to get data from any Joomla user (Name, Email) base on the given User ID. The necessary check has been added to prevent this.
2. Missing CSRF token check on upload file
- The extension has an end point to allow registrants to upload file during registrations using ajax upload. The code in previous release does not have CSRF token check, this is now added to enhance security. Further more, I also added .htaccess to prevent direct access to files into this folder, just in case admin allows uploading php files by mistake. Also, addition check has been added so that if you do not use File custom field types, the upload end point will be disabled to prevent attackers from uploading files (to abuse server quota for some reasons).
- Additional checks below are implemented to prevent mass uploads attack (assume your site is on target of attack):
+ Reject unsafe files (files with unsafe file extensions, files contain code) for older Joomla version to make it works in the same way with security improvements implement in Joomla 6.1.2 File::upload method
+ Max Files Per Session: Limit maximum number of files which can be uploaded per session. By default, I set it to 100, you can change it in Events Booking -> Configuration if needed
+ Max Files Per Minutes: Limit maximum number of files which can be be uploaded per minutes. By default, I set it to 20. You can adjust it to a smaller value like 5 or 10 if needed.
+ Upload Folder Size Limit: If you worry that too many files can be uploaded which makes your hosting space becomes full, you can limit it to something like 1024MB (mean 1GB), or smaller size
+ Max Files In Upload Folder: If you worry that too many files can be uploaded, you can limit total number of files can be uploaded for your site via upload field types in Events Booking. For example, set it to 5000 files.
Please update your site to this latest version of Events Booking to have the two issues fixed and more secure. We sincerely apologize for any inconvenience this may cause and appreciate your prompt attention to this matter.
I also would like to take this chance to thanks Phil from mysites.guru/ for reporting the issues to us this afternoon, and discussing further about the second issue via email. Also, thanks David from JSST for joining the discussion, too.
Regards,
Tuan
Last edit: 3 days 8 hours ago by Tuan Pham Ngoc.
The following user(s) said Thank You: Bas van Kollenburg, Lionel
Please Log in or Create an account to join the conversation.
- Eric vanBok
- Offline
- Premium Member
-
Less
More
- Posts: 84
- Thank you received: 8
3 days 11 hours ago #178978
by Eric vanBok
Replied by Eric vanBok on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Hello.
This update does not appear to fix the issues. Please look into this further so you can supply a proper fix. Thank you.
Eric
This update does not appear to fix the issues. Please look into this further so you can supply a proper fix. Thank you.
Eric
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
3 days 11 hours ago #178979
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Hi Eric
Could you please submit a support ticket provide me further information about this and we will discuss further about it.
Regards,
Tuan
Could you please submit a support ticket provide me further information about this and we will discuss further about it.
Regards,
Tuan
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
3 days 11 hours ago #178980
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
BTW, the current implementation is quite safe. But since the upload file is open for public users to upload files during their registration, if someone uses it to upload multiple files, there is no way for the system to prevent that. That is the same for any public forms which allow public users to upload files
Regards,
Tuan
Regards,
Tuan
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
3 days 8 hours ago #178987
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Just want to update that some additional checks were added to make field upload more secure (just in case someone uses upload end point to attack your site by mass upload), so if you updated Events Booking before 16:10pm, 15 July 2026, you might want to download latest package and update it to your site again
Regards,
Tuan
Regards,
Tuan
The following user(s) said Thank You: Bas van Kollenburg
Please Log in or Create an account to join the conversation.
- CyberSpyder Marketing Services
- Offline
- New Member
-
Less
More
- Posts: 2
- Thank you received: 0
1 day 6 hours ago #178996
by CyberSpyder Marketing Services
Replied by CyberSpyder Marketing Services on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Anything (patch) for those who have clients still n J3 (3.10.12) with EB 4.9.4?
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
21 hours 21 minutes ago #178997
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Hi CyberSpyder
Yes. For Joomla 3, we released version 4.9.5 which also available for update
Regards,
Tuan
Yes. For Joomla 3, we released version 4.9.5 which also available for update
Regards,
Tuan
Please Log in or Create an account to join the conversation.
- preflight
- Offline
- New Member
-
Less
More
- Posts: 16
- Thank you received: 1
18 hours 45 minutes ago #178998
by preflight
Replied by preflight on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Thanks Tuan
where can we download the Events Booking version 4.9.5 in our Downloads section when we login?
The download button will only download version 5.8.0
thank you
where can we download the Events Booking version 4.9.5 in our Downloads section when we login?
The download button will only download version 5.8.0
thank you
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
17 hours 13 minutes ago #178999
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
We do not provide download package for Joomla 3 directly on Downloads section. If you need it, please submit a support ticket and we will send it to you
However, you might want to configure Download ID docs.joomdonation.com/eventsbooking/gett.../installation#update and use Joomla updater (update from administrator area of your site without download update and upload manually) to update to 4.9.5 on your Joomla 3 website
Regards,
Tuan
However, you might want to configure Download ID docs.joomdonation.com/eventsbooking/gett.../installation#update and use Joomla updater (update from administrator area of your site without download update and upload manually) to update to 4.9.5 on your Joomla 3 website
Regards,
Tuan
Please Log in or Create an account to join the conversation.
- preflight
- Offline
- New Member
-
Less
More
- Posts: 16
- Thank you received: 1
17 hours ago #179000
by preflight
Replied by preflight on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Thankyou Tuan
I will submit a ticket.
I have tried to include a newly created Download ID and, the site does get a Update Available 4.9.5'. However, we receive a 403 error when clicking the update link.
We use Admin Tools as a firewall. A few other plugins request that a url is entered into the "Allow direct access to these files" field when using the create .htaccess file to allow for updates.
Would this be interfering with the update?
Would that be stopping it connecting?
Something like:
"/administrator/components/com_eventbooking/updates"
in the Allow direct access to these files"
thank you
I will submit a ticket.
I have tried to include a newly created Download ID and, the site does get a Update Available 4.9.5'. However, we receive a 403 error when clicking the update link.
We use Admin Tools as a firewall. A few other plugins request that a url is entered into the "Allow direct access to these files" field when using the create .htaccess file to allow for updates.
Would this be interfering with the update?
Would that be stopping it connecting?
Something like:
"/administrator/components/com_eventbooking/updates"
in the Allow direct access to these files"
thank you
Please Log in or Create an account to join the conversation.
Support
Documentation
Information
Copyright © 2026 Joomla Extensions by Joomdonation. All Rights Reserved.
joomdonation.com is not affiliated with or endorsed by the Joomla! Project or Open Source Matters.
The Joomla! name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
The Joomla! name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.