According to its self-reported version number, the detected Joomla! application is affected by multiple vulnerabilities :
A directory traversal vulnerability exists in versions 1.5.0 to 3.9.4 within the Media Manager component due to improperly sanitizing the folder parameter. An authenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server’s restricted path. (CVE-2019-10945)
An access control limit bypass exists in versions 3.2.0 to 3.9.4 within the gethelpsites() function of the com_users component. An unauthenticated, remote attacker can exploit this and access the ‘refresh list of helpsites’ endpoint. (CVE-2019-10946)
A cross-site scripting (XSS) vulnerability exists in versions 3.0.0 to 3.9.4 due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user’s browser session.
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10946
developer.joomla.org/security-centre/777-20190401-core-directory-traversal-in-com-media.html
developer.joomla.org/security-centre/778-20190402-core-helpsites-refresh-endpoint-callable-for-unauthenticated-users.html
developer.joomla.org/security-centre/779-20190403-core-object-prototype-pollution-in-jquery-extend.html
www.joomla.org/announcements/release-news/5764-joomla-3-9-5-release.html