725 matches found
mobilejoomla, 2.1.24, malcious redirects
mobilejoomla,2.1.24, malicious redirects. google adsense file added that may redirect all sites adsense revenue to the developer. File is not deleted on removing extension. Developer statement Extension Update Details Previously the free version of the Mobile extension added a file called ads.txt...
J-Business Directory,4.9.3,SQL Injection
jBusiness Directory from CMS Junkie,4.9.3 and previous versions, SQL Injection, XSS resolution: update to 4.9.4 update notice: http://www.cmsjunkie.com/blog/joomlabusinessdirectory4-9-4release/ Note that the developer did not inform the VEL...
Chronoforms 5.0.12 PHP mailer vulnerability
Chronoforms 5.0.12 and previous versions include PHP Mailer library vulnerable to CVE-2016-10033 Resolution: update to 5.0.13 Update notice: https://www.chronoengine.com/forums/posts/t102804/p363944/phpmailer-library.html...
[20100423] - Core - Sessation Fixation
Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user...
[20151201] - Core - Remote Code Execution Vulnerability
Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability...
EasyBlog pre 3.9.15770
EasyBlog Extension Update Details. This fix has been included in EasyBlog 3.9.15770 UpdateNoticeURL http://stackideas.com/blog/easyblog-3-9-15770-released...
AcyMailing 5.6.0 PHP Mailer vulnerability
AcyMailing 5.6.0 and previous versions include PHP Mailer library vulnerable to CVE-2016-10033 and CVE-2016-10045 Resolution: update to 5.6.1 Update notice: https://www.acyba.com/68-acymailing-changelog.html...
[20200604] - Core - XSS in jQuery.htmlPrefilter
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are "... security issues in jQuery’s DOM manipulation methods, as in .html, .append, and the others."...
Chronoforms 5.0.13 PHP mailer vulnerability
Chronoforms 5.0.13 and previous versions include PHP Mailer library vulnerable to CVE-2016-10045 Resolution: update to 5.0.14 Update notice: https://www.chronoengine.com/forums/posts/t102804/p363944/phpmailer-library.html...
[20161002] - Core - Elevated Privileges
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges...
[20090606] - Core - Missing JEXEC Check
Some files were missing the check for JEXEC. These scripts will then expose internal path information of the host...
[20140902] - Core - Unauthorised Logins
Inadequate checking allowed unauthorised logins via LDAP authentication...
[20151204] - Core - Directory Traversal
Inadequate filtering of request data leads to a Directory Traversal vulnerability...
[20130405] - Core - XSS Vulnerability
Inadequate filtering leads to XSS vulnerability in Voting plugin...
Jomres 9.8.22 and previous PHPMailer vulnerability
Jomres versions 9.8.20 and previous contain PHP Mailer library vulnerable to CVE-2016-10033 Jomres versions 9.8.22 and previous contain PHP Mailer library vulnerable to CVE-2016-10045 Resolution: update to version 9.8.24 Update notice: http://updates.jomres4.net/CHANGELOGJOMRES...
[20130401] - Core - Privilege Escalation
Inadequate permission checking allows unauthorised user to delete private messages...
[20151205] - Session - Remote Code Execution Vulnerability
Browser information is not filtered properly while saving the session values which leads to a Remote Code Execution vulnerability...
Kubik-Rubik Simple Image Gallery Extended (SIGE),3.2.3,XSS (Cross Site Scripting)
Kubik-Rubik Simple Image Gallery Extended SIGE, versions 3.2.3 and previous, XSS Cross Site Scripting resolution: update to 3.2.4 latest release is 3.3.0 update notice: https://joomla-extensions.kubik-rubik.de/sige-simple-image-gallery-extendedchangelog Note that the developer did not inform the ...
[20140901] - Core - XSS Vulnerability
Inadequate escaping leads to XSS vulnerability in commedia...
Solidres, 2.5.0, SQL Injection
Solidres, 2.5.0 and previous, SQL Injection Resolution: update to 2.5.1 Update notice: https://www.solidres.com/download/show-all-downloads/solidres/solidres-2-5-1...
[20161001] - Core - Account Creation
Inadequate checks allows for users to register on a site when registration has been disabled...
[20151001] - Core - SQL Injection
Inadequate filtering of request data leads to a SQL Injection vulnerability...
[20150602] - Core - CSRF Protection
Lack of CSRF checks potentially enabled uploading malicious code...
Saxum Picker, 3.2.10, SQL Injection
Saxum Picker, vesions 3.2.10 and previous, SQL Injection...
[20151203] - Core - Directory Traversal
Failure to properly sanitise input data from the XML install file located within an extension's package archive allows for directory traversal...
[20140903] - Core - Remote File Inclusion
Inadequate checking allowed the potential for remote files to be executed...
[20110604] - XSS Vulnerability
Inadequate filtering leads to XSS vulnerability...
[20201104] - Core - SQL injection in com_users list view
Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list...
[20150908] - Core - XSS Vulnerability
Inadequate escaping leads to XSS vulnerability in login module...
[20130406] - Core - DOS Vulnerability
Object unserialize method leads to possible denial of service vulnerability...
[20130203] - Core - Information Disclosure
Coding errors led to information disclosure in some situations...
[20190403] - Core - Object.prototype pollution in JQuery $.extend
The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks...
Proclaim, 9.1.1, Arbitrary File Upload
Proclaim from Christian Web Ministries installs as combiblestudy, versions 9.1.1 and previous, arbitrary file upload, also backup file download resolution: update to 9.1.2 fixes both issues update notice: https://github.com/Joomla-Bible-Study/Joomla-Bible-Study/releases...
[20151202] - Core - CSRF Hardening
Add additional CSRF hardening in comtemplates...
[20130202] - Core - Information Disclosure
Undefined variable caused information disclosure in some situations...
[20130201] - Core - Information Disclosure
Method of encoding search terms led to possible information disclosure...
[20191002] - Core - Path Disclosure in phpuft8 mapping files
Missing access check in the phputf8 mapping files could lead to an path disclosure...
[20190603] - Core - ACL hardening of com_joomlaupdate
The update server URL of comjoomlaupdate can be manipulated by non Super-Admin users...
Kunena,K4.0.0 - K5.0.3,XSS (Cross Site Scripting)
Kunena,K4.0.0 - K5.0.3,XSS Cross Site Scripting Resolution: update to 5.0.4 update notice:https://www.kunena.org/blog/179-kunena-5-0-4-released...
[20190601] - Core - CSV injection in com_actionlogs
The CSV export of comactionslogs is vulnerable to CSV injection...
[20090722] - Core - File Upload
Tiny browser included with TinyMCE 3.0 editor allowed files to be uploaded and removed without logging in...
[20190501] - Core - XSS in com_users ACL debug views
The debug views of comusers do not properly escape user supplied data, which leads to a potential XSS attack vector...
[20130403] - Core - XSS Vulnerability
Inadequate filtering allows possibility of XSS exploit in some circumstances...
[20151002] - Core - ACL Violations
Inadequate ACL checks in comcontenthistory provide potential read access to data which should be access restricted...
ZH Yandex Map, 6.2.1.0, SQL Injection
ZH Yandex Map from zhuk.cc, versions 6.2.1.0 and previous, SQL Injection Resolution: update to version 6.3.1.0 Update notice: http://zhuk.cc/2018/02/21/zh-yandexmap-security-update-2/...
[20130402] - Core - Information Disclosure
Inadequate permission checking allows unauthorised user to see permission settings in some circumstances...
Saxum Astro, 4.0.14, SQL Injection
Saxum Astro, versions 4.0.14 and previous, SQL Injection...
[20121102] - Core - Clickjacking
Inadequate protection leads to clickjacking vulnerability...
[20121101] - Core - Clickjacking
Inadequate protection leads to clickjacking vulnerability...
[20190602] - Core - XSS in subform field
The subform fieldtype does not sufficiently filter or validate input of subfields, this leads to XSS attack vectors...