743 matches found
aiContactSafe 2.0.19
xss 160413 developer release statement for version 2.0.21 Authors:...
[20120306] - Core - Information Disclosure
Inadequate permission checking allows unauthorised viewing of administrative back end information...
[20111003] - Core - Information Disclosure
Weak encryption causes potential information disclosure...
[20110602] - Information Disclosure
Inadequate filtering causes possible information disclosure...
[20090602] - Core - ja_purity XSS
A XSS vulnerability exists in the JAPurity template which ships with Joomla! 1.5...
[20260514] - Core - Privilege escalation through com_users webservice endpoints
An improper access check allows privelege escalation through the comusers group editing webservice endpoint...
[20260101] - Core - Inadequate content filtering for data URLs
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags...
[20250102] - Core - XSS vector in the id attribute of menu lists
Lack of output escaping in the id attribute of menu lists...
Advanced custom fields, 2.7.7, SQL Injection
Version: Old 2.8.2 / New 2.8.3 Update details: Improved sanitization/escaping of custom field values in v2.8.3 Update URL: https://www.tassos.gr/releases/advanced-custom-fields/advanced-custom-fields-2-8-3?format=htmlChangelog...
Solidres, 2.13.3, hub plugin XSS (Cross Site Scripting)
https://www.solidres.com/forum/report-bugs/12031-vulnerability-joomla-solidres-2-13-3-reflected-xss...
JomSocial , 4.7.6, XSS (Cross Site Scripting)
JomSocial , 4.7.6, XSS Cross Site Scripting investigation...
xcloner,3.53,Other
xcloner,3.53,Other Developer statement Today we have made available a new release — version 3.5.4 — for the unmaintained Joomla version of XCloner. Prior versions of XCloner for Joomla contained an Authenticated Local File Disclosure vulnerability that has been patched in the latest version. Any...
fabrik 3.9,Various
,fabrik 3.9. Various Issues NOTE: the earlier version number was a mistake by the reporter. new version number 3.9.1 Update Notice URL https://fabrikar.com/blog/87-fabrik-3-9-1-released...
eXtplorer 2.1.12 various
eXtplorer 2.1.12 various Update Notice URL https://extplorer.net/news/24...
Edocman,1.1.17,SQL Injection
Edocman,1.1.17,SQL Injection Extension Update Details Fix security issue on Joomla SQL injection from previous Edocman version. new version number 1.11.8 UpdateNotice URL...
music collection, 3.0.3 ,SQL Injection
music collection, 3.0.3 ,SQL Injection Developer statement: currently at version 3.0.6, this was already fixed in 3.0.4...
En Masse, all versions, SQL Injection
En Masse by Matamko.com, all known versions, SQL Injection...
JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection
JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection...
JS Jobs,1.1.8, RCE
JS Jobs, 1.1.8, Remote code execution - includes free and pro versions resolution: update to 1.1.9 update notice: http://www.joomsky.com/products/js-jobs.html...
AppointmentBookingPro,4.0.1,SQL Injection
AppointmentBookingPro, 4.0.1, SQL Injection Resolution: update to 4.0.2 RC2 Update notice: https://appointmentbookingpro.com/support2/an2/17169-joomla-vel.html...
Abstract manager, 2.1
Abstract manager by joomla6teen.com, 2.1, SQL Injection...
community quiz,4.4.1,SQL Injection
community quiz by corejoomla.com, 4.4.1, SQL Injection Resolution: update to 4.4.2 Update Notice: https://www.corejoomla.com/news/1164-community-quiz-v4-4-2-is-released.html...
hwdVideoShare,N/A
hwdVideoShare,N/A,SQL Injection Dev Statement The hwdVideoShare comhwdvideoshare extension was retired 3 years ago, and we deleted it from the Joomla Extensions Directory. It was replaced by a completely new extension called HWDMediaShare...
Community Builder versions 2.1 and previous
Community Builder Versions 2.1.0 and previous contain versions of 3rd party libraries with known vulnerabilities: PHPMailer and Guzzle Release 2.1.1 updates to version 5.2.22 of PHP Mailer provides custom fix for Guzzle library Developer states that this is precautionary only, and that these...
HDW Player, 3.2.1 and older
HDW Player, 3.2.1 and older including 3.1 and 3.0 Remote code execution Please see https://vel.joomla.org/vel-blog/2033-hdw-player-4-0-0-rce for further information...
Events Booking, versions before 2.1.1
Joomdonation extensions, Information Disclosure Events Booking versions before 2.1.1 Resolution: update to 2.1.1 Update notice URL: http://joomdonation.com/forum/events-booking-general-discussion/50511-events-booking-version-2-1-1-released.html...
Joomla GoogleSearch (CSE), 3.0.2 and below, any Joomla
Joomla GoogleSearch CSE, 3.0.2 and below, any Joomla, XSS Cross Site Scripting Resolution: update to version 3.0.4 Update Notice: http://www.kksou.com/php-gtk2/joomla-news/important-notice-googlesearch-cse-component.php...
Responsive Portfolio Wall [mod_repowa], 1.0 and below, XSS (Cross Site Scripting)
Responsive Portfolio Wall modrepowa, 1.0, XSS Cross Site Scripting Extension includes vulnerable version of JS library prettyPhoto Vulnerability fixed in version 1.1 Update notice: http://www.joomlabusiness.net/module/responsive-portfolio-wall...
Joomla Simple Photo Gallery version 1.1
Apptha Joomla Simple Photo Gallery ,comsimplephotogallery version 1.1 and previous, Other...
AllVideos version 4.6.1 and previous
AllVideos by Joomlaworks version 4.6.1 and previous XSS Cross Site Scripting Resolution: update to version 4.7.0 Update notice url: http://www.joomlaworks.net/forum/product-updates/41200-april-20th,-2015-allvideos-v4-7-0...
spider random articles 1.5.0 and previous
spider random articles, all versions prior to 1.5.1 SQL Injection Version 1.5.1 is a "Security Release" and those who use Random Article version under 1.5.1 should upgrade immediately to the latest version!...
Gallery WD version 1.2.3 and previous
Gallery WD version 1.2.3 and previous XSS Cross Site Scripting Resolution: Update to version 1.2.5 Update notice URL: http://web-dorado.com/products/joomla-gallery.html...
corephp paGo, LFI 1.0.7 and below
Corephp paGo, , DT, LFI Developer update statement http://www.corephp.com/blog/corephp-announces-immediate-availability-pago-commerce-1-07-1/...
MijoShop, 2.4.x - 2.5.x,
MijoShop, 2.4.x - 2.5.x, SQL Injection Extension Update Details 2.5.2 UpdateNoticeURL http://miwisoft.com/blog/mijoshop-252-security-update-released...
K2 Content Extension, 2.6.8,
K2 Content Extension, 2.6.8, XSS Cross Site Scripting resolution update to version 2.6.9...
ODude Profile
ODude Profile Directory Traversal vulnerability - 777 developer statement ODude Profile | 3.2 | http://www.odude.com/main/profile/profile-changelog.html ---|---|---...
JomSocial component pre 3.1.0.1
JomSocial component 3.1.0.1 RFI The new version number is 3.1.0.4 http://www.jomsocial.com/blog/hot-fix-3-1-0-4...
worldrates
http://dev.pucit.edu.pk/120410 Authors:...
[20100423] - Core - Negative Values for Limit and Offset
If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system...
[20080903] - Core - com_mailto Spam
The mailto component does not verify validity of the URL prior to sending...
[20080904] - Core - Redirect Spam
Several components utilize a passed in URL to redirect to after processing. These URLs are not validated prior to the redirect. A crafted URL can cause the system to redirect to a spam or phishing site...
[20260518] - Core - Transport encryption downgrade for password and username reset links
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set...
[20240701] - Core - XSS in accessible media selection field
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field...
bagallery , , Other
Developer statement Old 1.1 / New 1.2 Update details: We have thoroughly tested all the code in our component to ensure it is free of any security issues. Update URL: https://bestaddon.com/product/ba-gallery/Changelog...
quickform, , Other
Developer states exploit is "hack yourself" scenario...
kunena, ,XSS (Cross Site Scripting)
kunena,5.1.3,XSS Cross Site Scripting...
[20190502] - Core - By-passing protection of Phar Stream Wrapper Interceptor
In Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core. In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has to be determined and...
Kunena,5.1.9,XSS (Cross Site Scripting)
Kunena,5.1.9,XSS Cross Site Scripting https://www.kunena.org/blog/203-kunena-5-1-10-released...
JoomCRM 1.1.1
new version number 1.1.2 https://www.joomboost.com/blog-updates/joomcrm-version-1-1-2-security-announcement.html...
CW Article Attachments (Free Version), SQL Injection
CW Article Attachments Free Version from cwjoomla.com, versions 1.0.6 and previous, SQL Injection resolution: update to 1.0.7 update notice: http://www.cwjoomla.com/download-cw-article-attachments...