According to its self-reported version, the instance of Joomla! running on the remote web server is 3.x prior to 3.9.25. It is, therefore, affected by multiple vulnerabilities.
Usage of the insecure rand() function within the process of generating the 2FA secret. (CVE-2021-23126)
Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes. (CVE-2021-23127)
The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. (CVE-2021-23128)
Missing filtering of messages showed to users that could lead to XSS issues. (CVE-2021-23129)
Missing filtering of feed fields could lead to XSS issues. (CVE-2021-23130)
Missing input validation within the template manager. (CVE-2021-23131)
com_media allowed paths that are not intended for image uploads. (CVE-2021-23132)
Incorrect ACL checks could allow unauthorized change of the category for an article. (CVE-2021-26027)
Extracting an specifilcy crafted zip package could write files outside of the intended path. (CVE-2021-26028)
Inadequate filtering of form contents could allow to overwrite the author field. (CVE-2021-26029)
Note that the scanner has not tested for these issues but has instead relied only on the applicationโs self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23131
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23132
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26027
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26028
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26029
developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html
developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html
developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html
developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html
developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html
developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html
developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html
developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html
developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html
www.joomla.org/announcements/release-news/5834-joomla-3-9-25.html