725 matches found
Eventix Events Calendar by Informafix,1.0,SQL Injection
Eventix Events Calendar by Informafix, 1.0, SQL Injection...
Kunena, 5.0.2 and newer, XSS (Cross Site Scripting)
Kunena,5.0.2 and newer,XSS Cross Site Scripting resolutiion: update to 5.0.5 update notice: https://www.kunena.org/forum/announcement/id-107...
BK Multithumb for Joomla 1.5, 2.5.0.4, XSS (Cross Site Scripting)
BK-Multithumb for Joomla 1.5, 2.5.0.4, XSS Cross Site Scripting Extension contains known vulnerable version of JS library prettyPhoto The vulnerability in JS file was patched by extension author on basis of 3.1.2 file. Update notice: http://joomla.rjews.net/bk-multithumb...
Zen Library [zen], 1.0.2 and below, XSS (Cross Site Scripting)
Zen Library zen, 1.0.2, XSS Cross Site Scripting...
EuropaCart, 8.0.1 and below ,
EuropaCart, 8.0.1, Other - ACL @Kryptronic...
[20091103] - Core - Front-End Editor Issue
When logged into the front end with Author access, it was possible to replace an article written by another user...
[20090101] - Core - JSession SSL Session Disclosure
When running a site under SSL ONLY the entire site is forced to be under ssl, Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session. Please note that all data is still transferred securely...
[20240803] - Core - XSS in HTML Mail Templates
Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2...
Phoca Gallery, 5.0.0, XSS (Cross Site Scripting)
Update to 4.4.3, 4.5.0,5.0.1...
HikaShop Joomla Plugin, , SQL Injection
anyone with access to the order management in the backend of HikaShop to be able to use a MySQL injection to extract data from the database. "payment methods" restriction setting to custom fields of the "order" table in HikaShop 4.4.1, so prior versions of HikaShop are not impacted...
[20210303] - Core - XSS within alert messages showed to users
Missing filtering of messages showed to users that could lead to xss issues...
[20190203] - Core - Additional warning in the Global Configuration textfilter settings
"No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog...
[20180501] - Core - ACL violation in access levels
Inadequate checks allowed users to modify the access levels of user groups with higher permissions...
LMS King Pro, SQL Injection
LMS King Lite and LMS King Professional by king-products.net, versions up to 3.2.3.19 lite and 3.2.3.47 pro, SQL Injection resolution: update to version 3.2.3.20 lite and 3.2.3.48 pro update notice url: https://www.king-products.net/lms-king.html...
JS Jobs,1.1.5 and all previous,SQL Injection
JS Jobs,1.1.5 and all previous,SQL Injection Resolution: update to version 1.1.6 Update notice: https://www.joomsky.com/products/js-jobs.htmlfive...
AceShop, up to version 4.1.3,
AceShop, up to version 4.1.3, SQL Injection...
Joomlaworks allvideos
Joomlaworks allvideos plugin version 4.5.0 and previous XSS cross-site scripting Extension Update Details The new 4.6.0 version released replaces the XSS affected JW Player v5 with the newest v6. UpdateNoticeURL http://www.joomlaworks.net/forum/extension-updates/14896-june-3rd,-2014-allvideos-v4-...
Unite Horizontal Carousel
Unite Horizontal Carousel, , Directory Traversal Updated the extension, fixed the bug, the new version is 1.1 UpdateNoticeURL http://unitecms.net/news...
[20110902] - Core - XSS Vulnerability
Inadequate escaping leads to XSS vulnerability in back end...
[20260305] - Core - Arbitrary file deletion in com_joomlaupdate
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
ccNewsletter 2.2.3 security release
there is a SQL injection issue in ccNewsletter. I advice everyone using a ccNewsletter version before 2.2.2 to upgrade! You can download ccNewsletter 2.2.3 from our downloads section here. https://www.chillcreations.com/downloads/ccnewsletterreltabs-145-notes...
Easy Discuss, 4.0.20, XSS
Easy Discuss by Stackideas, versions 4.0.20 and previous, XSS Resolution: update to 4.0.21 update notice: https://stackideas.com/blog/easydiscuss4021-update...
Quiz Deluxe,3.7.4,SQL Injection
Quiz Deluxe by joomplace, 3.7.4, SQL Injection resolution: update to 3.7.5 update notice: https://www.joomplace.com/blog/secure-your-quiz.html...
Bye Bye Password,1.0.4,Information Disclosure
Bye Bye Password by Ready Bytes, versions 1.0.4 and previous, Information Disclosure Also the installer includes a tracking script...
MultiTier,3.1,SQL Injection
MultiTier by Beesto.com, 3.1, SQL Injection...
Canonical Url,4.1.1,SQL Injection
Canonical Url by CMSPlugin.com, 4.1.1, SQL Injection Resolution: update to 4.2.1 Update notice: https://www.cmsplugin.com/products/components/4-canonical-url...
[20170401] - Core - Information Disclosure
Mail sent using the JMail API leaked the used PHPMailer version in the mail headers...
[20160803] - Core - CSRF
Add additional CSRF hardening in comjoomlaupdate...
mod fancy tag cloud,1.017,Other
mod fancy tag cloud comofflajninstaller,1.017,Other resolution: update to version 1.020 update notice: http://fancytagcloud.demo.offlajn.com/index.php/security-update existing users may also need to fix folder permissions, please contact the developer for further information...
[20160801] - Core - ACL Violation
Inadequate ACL checks in comcontent provide potential read access to data which should be access restricted to users with editown level...
[20120102] - Core - XSS Vulnerability
Inadequate filtering leads to XSS vulnerability...
[20090603] - Core - Frontend XSS
Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel...
[20240702] - Core - Self-XSS in fancyselect list field layout
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector...
[20221002] - Core - RXSS through reflection of user input in headings
Joomla! CMS versions 4.0.0-4.2.3...
[20200701] - Core - CSRF in com_installer ajax_install endpoint
A missing token check in the ajaxinstall endpoint cominstaller causes a CSRF vulnerability...
Phoca Gallery,4.3.15 prior,Other
Phoca Gallery,4.3.15 prior,Other Update Notice URL https://www.phoca.cz/news/1029-phoca-gallery-4-3-17-released...
Easy Shop ,1.2.3 ,Other
Easy Shop ,1.2.3 ,Other Developer update 1.2.4 https://www.joomtech.net/blog/easyshop-1-2-4-security-issues-fixed Developer did not tellvel...
[20190204] - Core - Stored XSS issue in the Global Configuration help url #2
Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS...
CW Article Attachments (Pro Version), SQL Injection
CW Article Attachments Pro Version from cwjoomla.com, versions 2.1.0 and previous, SQL Injection resolution: update to 2.1.2 update notice: http://www.cwjoomla.com/download-cw-article-attachments...
User Bench 1.0, sql injection
User Bench by gegabyte.org, version 1.0, sql injection resolution: update to version 1.1 update notice: http://www.gegabyte.org/downloads/joomla-extensions/joomla3/components/307-user-bench...
JBuildozer,1.4.1,SQL Injection
JBuildozer,1.4.1,SQL Injection...
NS Download Shop, 2.2.6, SQL Injection
NS Download Shop, 2.2.6, SQL Injection Resolution: update to 2.2.8 Update notice: https://nswd.co/extensions/help-desk/security-release-v2-2-8...
[20180507] - Core - Session deletion race condition
A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated...
[20171103] - Core - Information Disclosure
A logic bug in comfields exposed read-only information about a site's custom fields to unauthorized users...
[20170704] - Core - Installer: Lack of Ownership Verification
The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control...
Directorix Directory Manager,1.1.1,SQL Injection
Directorix Directory Manager,1.1.1,SQL Injection...
Joomloc-lite by joomloc.fr,1.3.3,SQL Injection
Joomloc-lite by joomloc.fr, 1.3.3, SQL Injection Resolution: update to 1.4.1 Update Notice URL http://www.joomloc.fr.nf/telecharger/file/joomloc-lite-free-3.html...
Google Map Store Locator by Matamko,4.0,SQL Injection
Google Map Store Locator by Matamko, 4.0, SQL Injection...
kunena,4.0.10,Information Disclosure
kunena,4.0.10,Information Disclosure Developers update link https://www.kunena.org/blog/166-kunena-4-0-11-released...
[20170405] - Core - XSS Vulnerability
Inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component...