725 matches found
[20170704] - Core - Installer: Lack of Ownership Verification
The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control...
Directorix Directory Manager,1.1.1,SQL Injection
Directorix Directory Manager,1.1.1,SQL Injection...
Joomloc-lite by joomloc.fr,1.3.3,SQL Injection
Joomloc-lite by joomloc.fr, 1.3.3, SQL Injection Resolution: update to 1.4.1 Update Notice URL http://www.joomloc.fr.nf/telecharger/file/joomloc-lite-free-3.html...
Google Map Store Locator by Matamko,4.0,SQL Injection
Google Map Store Locator by Matamko, 4.0, SQL Injection...
Huge IT Portfolio Gallery 1.0.7 and previous
Huge IT Portfolio Gallery 1.0.7 and previous Security updates connected with CSRF and XSS resolution: update to 1.1.0...
K2,2.7.0,XSS (Cross Site Scripting)
K2,2.7.0,XSS Cross Site Scripting resolution: update to 2.7.1 update notice url: https://getk2.org/blog/2571-k2-v271-released Note that the VEL do not agree with the developer's assessment that XSS vulnerability is low priority...
Payplans SQLi
SQL Injection In PayPlans. readybytes developer update notice. http://www.readybytes.net/blog/item/payplans-sql-injection-blog.html Community notified report...
[20170405] - Core - XSS Vulnerability
Inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component...
AP Portfolio [mod_ap_portfolio], 3.3 and below, XSS (Cross Site Scripting)
AP Portfolio modapportfolio, 3.3.1 and below, XSS Cross Site Scripting Extension includes vulnerable JS library prettyPhoto Vulnerability fixed in version 3.3.2 Update notice:http://aplikko.com/joomla-extensions/ap-portfolio...
Creative Contact Form [com_creativecontactform],2.0.0 and previous
Creative Contact Form comcreativecontactform,2.0.0 and previous,Other Resolution: Update to latest release 3.0.x Notice of Resolution: http://creative-solutions.net/joomla/creative-contact-form...
sbahjaoui contact 1.0
sbahjaoui contact version 1.0 SQL Injection Resolution: update to version 1.1 Update notice: http://www.sbahjaoui-info.com/en/extensions/category/10-sbahjaoui-contact.html ttweetfsubscribe...
JDownloads
unauthorized file upload vulnerable versions: below 1.9.1.6 Joomla 2.5 and below 1.9.2.11 Joomla 3 security release announcement: http://www.jdownloads.com/index.php?option=comcontent=article=231:urgent-security-update-for-19-series=51:news Note that the developer did not inform the VEL...
Spider Contacts 1.3.6 SQLI
Joomla Spider Contacts 1.3.6 SQL Injection Developer update http://web-dorado.com/products/joomla-contacts.html...
kunena 3.0.5 XSS and SQL Injection
kunena 3.0.5 XSS and SQL Injection Update notice http://www.kunena.org/blog/139-kunena-3-0-6-released...
plg_highlight_content, 1.5 and previous
plghighlightcontent, 1.5 and previious versions, XSS Cross Site Scripting update notice: http://www.jonijnm.es/web/descargas/category/9-highlight-code.html...
Google Maps plugin for Joomla, pre 3.1 and 2.20,
Google Maps plugin for Joomla, 3.1 and 2.20, XSS Cross Site Scripting joomla-base reumer.net developer statement A SECURITY RELEASE 3.1 of plugin Google Maps by Reumer is released and this must be applied to your Joomla installation...
[20091103] - Core - XML File Read Issue
It is possible to read the contents of an extension's XML file and find the version number of the installed extension. This could allow people to exploit a known security flaws for a specific version of an extension...
[20090605] - Core - Frontend XSS - PHP_SELF not properly filtered
An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser...
[20080901] - Core - JRequest Variable Injection
A flaw in JRequest exists where variables set with JRequest::setVar are not cleaned when fetching the variable at a later point in the request. This can result in variable injection unwanted characters injected into returned data...
Convert Forms, 4.4.10, XSS (Cross Site Scripting)
New 5.0 Update details: All XSS and SQL reported issues have been fixed in the latest release 5.0 Update URL: https://www.tassos.gr/releases/convert-forms/convert-forms-5-0-0 Changelog URL: https://www.tassos.gr/releases/convert-forms/convert-forms-5-0-0...
JS Jobs, 1.4.2, SQL Injection
JS Jobs Joomla - https://extensions.joomla.org/extension/js-jobs/ SQL injection SQLi Which versions are affected? 1.1.5 - 1.4.2...
[20250201] - Core - SQL injection vulnerability in Scheduled Tasks component
Joomla! CMS versions 4.1.0-4.4.10, 5.0.0-5.2.3...
[20240804] - Core - Improper ACL for backend profile view
Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2...
[20240202] - Core - Open redirect in installation application
Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2...
jCart for OpenCart, jCart for OpenCart 3.0.3.19, XSS (Cross Site Scripting)
Here is the link on our site: https://extensions.soft-php.com/support/latest-news/79-joocart-jcart-30325-release-notice.html...
[20220304] - Core - Missing input validation within com_fields class inputs
Lack of input validation could allow an XSS attack using comfields...
[20200101] - Core - CSRF in batch actions
Missing token checks in the batch actions of various components causes CSRF vulnerabilities...
J-CruiseReservation 6.0.2 sqli
new version number 6.0.4 UpdateNotice URL https://www.cmsjunkie.com/blog/cruise-reservations-update/...
All Regular Labs extensions with editor buttons
All Regular Labs extensions with editor buttons, versions before 7 September 2018, cross site scripting XSS:- - Articles Anywhere - Conditional Content - Dummy Content - Modals - Modules Anywhere - Sliders - Snippets - Tabs - Tooltips The editor button popup urls could potentially be used...
JCE Editor,2.6.25, XSS (Cross Site Scripting)
JCE Editor Pro, Version 2.6.25 only, XSS Cross Site Scripting Resolution: update to 2.6.26 Update notice: https://www.joomlacontenteditor.net/news/jce-pro-2-6-26-released...
HDW Player,4.0.0, RCE
HDW Player,4.0.0 and all other versions, remote code execution Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that th...
Ajax Quiz by Webkul,2.0,SQL Injection
Ajax Quiz by Webkul, 2.0 and previous, SQL Injection Resolution: update to version 2.1 Update notice: https://store.webkul.com/AjaxQuiz.html...
HikaShop Business,3.1.0,SQL Injection
HikaShop Business,3.1.0,SQL Injection new version number 3.1.1 Update Notice URL https://www.hikashop.com/home/blog/373-security-release-for-hikashop-business.html...
[20170705] - Core - XSS Vulnerability
Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components...
[20170403] - Core - XSS Vulnerability
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components...
Virtuemart 3.0.10 and previous
XSS Resolution: update to 3.0.12 or 2.6.22 for VM2 users Update notice: http://virtuemart.net/news/latest-news/473-security-release-virtuemart-3-0-12 Note that developer did not inform the VEL...
JMS Support Online module, 2.0.0, XSS (Cross Site Scripting)
JMS Support Online module,2.0.0,XSS Cross Site Scripting...
Huge IT Slider,1.0.9,SQL Injection
Huge IT Slider,1.0.9,SQL Injection Resolution: update to 1.1.0 update notice: https://huge-it.com/joomla-extensions-security-notice/...
[20170701] - Core - Information Disclosure
Improper cache invalidation leads to disclosure of form contents...
Master User, versions before 2.1.4
Versions before 2.1.4 suffered from an issue with insecure default settings, the issue affects Joomla 3.4 sites only, but users are advised by the developer to update anyway. Resolution: Update to version 2.1.4 Update notice URL:...
Art Pretty Photo [artprettyphoto],1.9.21 and below,XSS (Cross Site Scripting)
Art Pretty Photo artprettyphoto, 1.9.21 and below, XSS Cross Site Scripting...
OS Property - Joomla Real Estate sqli pre 2.8.1
OS Property - Joomla Real Estate sqli 12th May 2014 - New version 2.8.1 ============== Bug Fixed =============== 1. SQL Injection solved developer did not inform VEL...
Face Gallery by Apptha [com_facegallery] version 1.0
Face Gallery by Apptha comfacegallery, version 1.0 exploit: Other...
youtube plugin - youtubejoomla ,1.1
youtube plugin - Stian Totland,1.1 ,Other , youtubejoomla...
JCE - Joomla Content Editor 2.4.5 and previous
Versions 2.4.5 and previous Update to Version 2.4.6 improves security in add-on installation system UpdateNoticeURL https://www.joomlacontenteditor.net/news/item/jce-246-released...
Akeeba CMS Update
Extension Update Details Akeeba CMS Update 1.0.2 Update Notice URL https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html...
Joomla Multicalendar, 5.3.2 and previous versions,
Joomla Multicalendar, 5.3.2 and previous versions, XSS Cross Site Scripting UpdateNoticeURL http://www.joomlacalendars.com/faq/multi-view-calendar-for-joomlaq39...
[20140301] - Core - SQL Injection
Inadequate escaping leads to SQL injection vulnerability...
spider contact lite, sqli
spider contact lite , , as per http://vel.joomla.org/vel-blog/976-spider-contacts-1-3-3.html Extension Update Details We have fixed the vulnerability on Spider Contacts Lite. We have changed the version to 1.3.4 on JED and also added corresponding text to the description. UpdateNoticeURL...
[20121001] - Core - XSS Vulnerability
Typographical error leads to XSS vulnerability in language search component...