747 matches found
JoomDoc 4.0.3 and previous
JoomDoc 4.0.3 and previous information disclosure resolution: update to 4.0.4 update notice: http://www.artio.net/newsflash/joomdoc-404-release...
swmenufree, v8.3 ,Other
swmenufree, swMenuFree 8.3 for Joomla 2.5.x and 3.x , other Resolution: update to version 8.5 Update notice: http://www.swmenupro.com/downloads/swmenufree.html?view=document=1...
[20150601] - Core - Open Redirect
Inadequate checking of the return value allowed to redirect to an external page...
Solidres previous to 8.0.0
Solidres previous to 8.0.0 SQL Injection Update to 8.0.0 Update notice URL http://www.solidres.com/blog/2015/01/26/solidres-0-8-0-released/...
[20120305] - Core - Password Change
Insufficient randomness leads to password reset vulnerability...
[20100423] - Core - Password Reset Tokens
When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability...
[20240805] - Core - XSS vectors in Outputfilter::strip* methods
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors...
[20221001] - Core - Disclosure of critical information in debug mode
Joomla 4 sites with publicly enabled debug mode exposed data of previous requests...
adblock detector nordmograph
Malicious script New in 2.1 : Miner feature discontinued This is a security release for the 3.x series of Joomla! This release fixes one low level security issues...
[20210402] - Core - Inadequate filters on module layout settings
Inadequate filters on module layout settings could lead to an LFI...
[20210307] - Core - ACL violation within com_content frontend editing
Incorrect ACL checks could allow unauthorized change of the category for an article...
[20200705] - Core - Escape mod_random_image link
Lack of input filtering and escaping allows XSS attacks in modrandomimage...
[20200102] - Core - CSRF com_templates LESS compiler
A missing CSRF token check in the LESS compiler of comtemplates causes a CSRF vulnerability...
JS support ticket,1.1.5,Directory Traversal
JS support ticket,1.1.5,Directory Traversal resolution: update to 1.1.6 update notice: https://joomsky.com/products/js-ticket-joomla.html...
[20190201] - Core - Lack of URL filtering in various core components
Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability...
[20180602] - Core - XSS vulnerability in language switcher module
In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url...
[20170703] - Core - XSS Vulnerability
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components...
Vik Rent Items 1.3 and previous
Vik Rent Items 1.3 and previous SQL injection Resolution:update to version 1.4 Update notice: https://extensionsforjoomla.com/blog/12-updates/46-security-notices-sql-injection-reports...
J-BusinessDirectory 4.5.4 and previous
J-BusinessDirectory 4.5.4 and previous sql injection resolution: update to 4.5.5 update notice: http://www.cmsjunkie.com/blog/joomlabusinessdirectory4-5-5release/...
Breezing Forms Full
Breezing Forms Full before build 884 Information disclosure Resolution: update to latest version Update notice: https://crosstec.org/en/blog/859-breezingforms-medium-security-update.html...
JEvents, pre 3.2.20
Extension: JEvents from jevents.net Vulnerability: SQL injection Versions affected prior to 3.2.20 Resolution: update to 3.2.20 - JEvents 3.4.0RC6 is also available for Joomla 3.4+ which fixes the same security issue. Update notice URL: https://www.jevents.net/component/zoo/item/jevents-33...
[20080801] - Core - Password Remind Functionality
A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user lowest id. Typically, this is an administrator user. Note, that changing the first users username may...
[20240703] - Core - XSS in StringHelper::truncate method
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method...
[20221101] - Core - RXSS through reflection of user input in com_media
Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in commedia...
Balbooa Forms, 2.0.6 (not tested on others), SQL Injection
Balbooa Forms, 2.0.6 , SQL Injection...
[20210302] - Core - Potential Insecure FOFEncryptRandval
The core shipped but unused randval implementation within FOF FOFEncryptRandval used an potential insecure implemetation. That has now been replaced with a call to "randombytes" and its backport that is shipped within randomcompat...
[20210301] - Core - Insecure randomness within 2FA secret generation
Usage of the insecure rand function within the process of generating the 2FA secret.Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes...
jDownloads,3.2.64,SQL Injection
jDownloads,3.2.64,SQL Injection Developers update http://www.jdownloads.com/index.php/downloads/download/6-jdownloads/2-jdownloads-3-2.htmljd65...
Easy Discuss 4.1.9 SQL Injection
Easy Discuss 4.1.9 by Stack Ideas, SQL Injection Resolution: update to 4.1.10 update notice: https://stackideas.com/blog/important-security-update-for-easydiscuss4-1-10...
[20180505] - Core - XSS Vulnerabilities & additional hardening
Inadequate input filtering leads to multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack...
[20180103] - Core - XSS vulnerability in Uri class
Inadequate input filtering in the Uri class formerly JUri leads to a XSS vulnerability...
Yeeditor, abandonware
Yeeditor from Yeedeen development apparently abandoned, developer's site is infected with malware All versions prior to 1.0.7 contain file upload vulnerability...
[20170406] - Core - ACL Violations
Inadequate filtering of form contents lead allow to overwrite the author of an article...
[20161203] - Core - Information Disclosure
Inadequate ACL checks in the Beez3 comcontent article layout override enables a user to view restricted content...
Contus HD Video Share (aka HDVideoShare) by Apptha [com_contushdvideoshare], 3.5 and below, Directory Traversal
Contus HD Video Share by Apptha comcontushdvideoshare, 3.5 and below, Directory Traversal...
Zen Library [zen], 1.0.2 and below, XSS (Cross Site Scripting)
Zen Library zen, 1.0.2, XSS Cross Site Scripting...
bo:VideoJS, 2.1.1,
bo:VideoJS, 2.1.1, xss From developerhttp://www.boeschung.de/en/joomla/bo-videojs/video-js-v320...
[20120101] - Core - Information Disclosure
Inadequate filtering leads to information disclosure...
[20240802] - Core - Cache Poisoning in Pagination
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors...
[20240203] - Core - XSS in media selection fields
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions...
[20190304] - Core - Missing ACL check in sample data plugins
The sample data plugins lack ACL checks, allowing unauthorized access...
[20181005] - Core - CSRF hardening in com_installer
Added additional CSRF hardening in cominstaller actions in the backend...
[20180503] - Core - Information Disclosure about unpublished tags
Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission...
JobGrok,versions 3.1, SQL Injection
JobGrok Listing - V3.1-1.2.58 and prior was vulnerable - comjobgroklist Resolution: update to V3.1-1.2.59 JobGrok Application - V3.1-1.2.55 and prior was vulnerable - comjobgrokapp Resolution: update to V3.1-1.2.56 JobGrok Premium - V3.1-1.6.69 and prior was vulnerable - comjobgrok Resolution:...
Eventix Events Calendar by Informafix,1.0,SQL Injection
Eventix Events Calendar by Informafix, 1.0, SQL Injection...
Kunena, 5.0.2 and newer, XSS (Cross Site Scripting)
Kunena,5.0.2 and newer,XSS Cross Site Scripting resolutiion: update to 5.0.5 update notice: https://www.kunena.org/forum/announcement/id-107...
[20170402] - Core - XSS Vulnerability
Inadequate filtering leads to XSS in the template manager component...
BK Multithumb for Joomla 1.5, 2.5.0.4, XSS (Cross Site Scripting)
BK-Multithumb for Joomla 1.5, 2.5.0.4, XSS Cross Site Scripting Extension contains known vulnerable version of JS library prettyPhoto The vulnerability in JS file was patched by extension author on basis of 3.1.2 file. Update notice: http://joomla.rjews.net/bk-multithumb...
HikaShop Joomla Plugin, , SQL Injection
anyone with access to the order management in the backend of HikaShop to be able to use a MySQL injection to extract data from the database. "payment methods" restriction setting to custom fields of the "order" table in HikaShop 4.4.1, so prior versions of HikaShop are not impacted...
[20230501] - Core - Open Redirects and XSS within the mfa selection
Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen...