743 matches found
[20190302] - Core - XSS in item_title layout
The itemtitle layout in edit views lacks escaping, leading to a XSS vulnerability...
[20190205] - Core - XSS Issue in core.js writeDynaList
Inadequate parameter handling in JS code could lead to an XSS attack vector...
[20181005] - Core - CSRF hardening in com_installer
Added additional CSRF hardening in cominstaller actions in the backend...
[20181004] - Core - ACL Violation in com_users for the admin verification
In case that an attacker gets access to the mail account of an user who can approve admin verifications in the registration process he can activate himself...
JS Jobs,1.1.5 and all previous,SQL Injection
JS Jobs,1.1.5 and all previous,SQL Injection Resolution: update to version 1.1.6 Update notice: https://www.joomsky.com/products/js-jobs.htmlfive...
AceShop, up to version 4.1.3,
AceShop, up to version 4.1.3, SQL Injection...
EuropaCart, 8.0.1 and below ,
EuropaCart, 8.0.1, Other - ACL @Kryptronic...
[20091103] - Core - Front-End Editor Issue
When logged into the front end with Author access, it was possible to replace an article written by another user...
[20090101] - Core - JSession SSL Session Disclosure
When running a site under SSL ONLY the entire site is forced to be under ssl, Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session. Please note that all data is still transferred securely...
[20240803] - Core - XSS in HTML Mail Templates
Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2...
Phoca Gallery, 5.0.0, XSS (Cross Site Scripting)
Update to 4.4.3, 4.5.0,5.0.1...
HikaShop Joomla Plugin, , SQL Injection
anyone with access to the order management in the backend of HikaShop to be able to use a MySQL injection to extract data from the database. "payment methods" restriction setting to custom fields of the "order" table in HikaShop 4.4.1, so prior versions of HikaShop are not impacted...
[20210303] - Core - XSS within alert messages showed to users
Missing filtering of messages showed to users that could lead to xss issues...
[20190203] - Core - Additional warning in the Global Configuration textfilter settings
"No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior but might be unexpected for the user. An additional message is now shown in the configuration dialog...
[20180501] - Core - ACL violation in access levels
Inadequate checks allowed users to modify the access levels of user groups with higher permissions...
LMS King Pro, SQL Injection
LMS King Lite and LMS King Professional by king-products.net, versions up to 3.2.3.19 lite and 3.2.3.47 pro, SQL Injection resolution: update to version 3.2.3.20 lite and 3.2.3.48 pro update notice url: https://www.king-products.net/lms-king.html...
[20160803] - Core - CSRF
Add additional CSRF hardening in comjoomlaupdate...
[20160801] - Core - ACL Violation
Inadequate ACL checks in comcontent provide potential read access to data which should be access restricted to users with editown level...
Joomlaworks allvideos
Joomlaworks allvideos plugin version 4.5.0 and previous XSS cross-site scripting Extension Update Details The new 4.6.0 version released replaces the XSS affected JW Player v5 with the newest v6. UpdateNoticeURL http://www.joomlaworks.net/forum/extension-updates/14896-june-3rd,-2014-allvideos-v4-...
Unite Horizontal Carousel
Unite Horizontal Carousel, , Directory Traversal Updated the extension, fixed the bug, the new version is 1.1 UpdateNoticeURL http://unitecms.net/news...
[20120102] - Core - XSS Vulnerability
Inadequate filtering leads to XSS vulnerability...
[20110902] - Core - XSS Vulnerability
Inadequate escaping leads to XSS vulnerability in back end...
[20260305] - Core - Arbitrary file deletion in com_joomlaupdate
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
ccNewsletter 2.2.3 security release
there is a SQL injection issue in ccNewsletter. I advice everyone using a ccNewsletter version before 2.2.2 to upgrade! You can download ccNewsletter 2.2.3 from our downloads section here. https://www.chillcreations.com/downloads/ccnewsletterreltabs-145-notes...
Easy Discuss, 4.0.20, XSS
Easy Discuss by Stackideas, versions 4.0.20 and previous, XSS Resolution: update to 4.0.21 update notice: https://stackideas.com/blog/easydiscuss4021-update...
User Bench 1.0, sql injection
User Bench by gegabyte.org, version 1.0, sql injection resolution: update to version 1.1 update notice: http://www.gegabyte.org/downloads/joomla-extensions/joomla3/components/307-user-bench...
Quiz Deluxe,3.7.4,SQL Injection
Quiz Deluxe by joomplace, 3.7.4, SQL Injection resolution: update to 3.7.5 update notice: https://www.joomplace.com/blog/secure-your-quiz.html...
Bye Bye Password,1.0.4,Information Disclosure
Bye Bye Password by Ready Bytes, versions 1.0.4 and previous, Information Disclosure Also the installer includes a tracking script...
MultiTier,3.1,SQL Injection
MultiTier by Beesto.com, 3.1, SQL Injection...
Canonical Url,4.1.1,SQL Injection
Canonical Url by CMSPlugin.com, 4.1.1, SQL Injection Resolution: update to 4.2.1 Update notice: https://www.cmsplugin.com/products/components/4-canonical-url...
kunena,4.0.10,Information Disclosure
kunena,4.0.10,Information Disclosure Developers update link https://www.kunena.org/blog/166-kunena-4-0-11-released...
[20170401] - Core - Information Disclosure
Mail sent using the JMail API leaked the used PHPMailer version in the mail headers...
mod fancy tag cloud,1.017,Other
mod fancy tag cloud comofflajninstaller,1.017,Other resolution: update to version 1.020 update notice: http://fancytagcloud.demo.offlajn.com/index.php/security-update existing users may also need to fix folder permissions, please contact the developer for further information...
JNews,8.5.1,SQL Injection
JNews, 8.5.1 and all previous, SQL Injection Resolution: update to 8.7.1 Update notice url: http://www.joobi.co/blog/jnews-8-7-released.html Note that due to discrepancy in developer's code between package and repository, some versions of previous security release 8.6.1 are still vulnerable...
Kunena 4.0.2 xss resolution
This version is a security release and addresses most of the important issues that were discovered in K 4.0.1 Developer update statement http://www.kunena.org/blog/149-kunena-4-0-2-released developer @kunena did not inform VEL...
BT Portfolio,3.0.5 and below,Other
BT Portfolio,3.0.5 and below,Other Resolution: update to 3.0.6 or later Update notice: http://bowthemes.com/bt-portfolio-version-3.0.6.4.6-released.html...
Simple Image Gallery PRO, 3.0.7 and below, XSS (Cross Site Scripting)
Simple Image Gallery PRO plgcontentjwsigpro, 3.0.7 and below, XSS Cross Site Scripting...
JB Library [jblibrary], 2.1.5 and below, XSS (Cross Site Scripting)
JB Library, 2.1.5 and below, XSS Cross Site Scripting...
Creative Contact Form [com_creativecontactform],2.0.0 and previous
Creative Contact Form comcreativecontactform,2.0.0 and previous,Other Resolution: Update to latest release 3.0.x Notice of Resolution: http://creative-solutions.net/joomla/creative-contact-form...
sbahjaoui contact 1.0
sbahjaoui contact version 1.0 SQL Injection Resolution: update to version 1.1 Update notice: http://www.sbahjaoui-info.com/en/extensions/category/10-sbahjaoui-contact.html ttweetfsubscribe...
Spider Contacts 1.3.6 SQLI
Joomla Spider Contacts 1.3.6 SQL Injection Developer update http://web-dorado.com/products/joomla-contacts.html...
kunena 3.0.5 XSS and SQL Injection
kunena 3.0.5 XSS and SQL Injection Update notice http://www.kunena.org/blog/139-kunena-3-0-6-released...
[20120303] - Core - Privilege Escalation
Programming error allows privilege escalation in some cases...
[20090603] - Core - Frontend XSS
Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel...
JS Jobs, 1.4.2, SQL Injection
JS Jobs Joomla - https://extensions.joomla.org/extension/js-jobs/ SQL injection SQLi Which versions are affected? 1.1.5 - 1.4.2...
[20240804] - Core - Improper ACL for backend profile view
Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2...
[20240702] - Core - Self-XSS in fancyselect list field layout
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector...
[20221002] - Core - RXSS through reflection of user input in headings
Joomla! CMS versions 4.0.0-4.2.3...
[20200701] - Core - CSRF in com_installer ajax_install endpoint
A missing token check in the ajaxinstall endpoint cominstaller causes a CSRF vulnerability...
Phoca Gallery,4.3.15 prior,Other
Phoca Gallery,4.3.15 prior,Other Update Notice URL https://www.phoca.cz/news/1029-phoca-gallery-4-3-17-released...