747 matches found
[20200701] - Core - CSRF in com_installer ajax_install endpoint
A missing token check in the ajaxinstall endpoint cominstaller causes a CSRF vulnerability...
J-CruiseReservation 6.0.2 sqli
new version number 6.0.4 UpdateNotice URL https://www.cmsjunkie.com/blog/cruise-reservations-update/...
[20190204] - Core - Stored XSS issue in the Global Configuration help url #2
Inadequate checks at the Global Configuration helpurl settings allowed a stored XSS...
CW Article Attachments (Pro Version), SQL Injection
CW Article Attachments Pro Version from cwjoomla.com, versions 2.1.0 and previous, SQL Injection resolution: update to 2.1.2 update notice: http://www.cwjoomla.com/download-cw-article-attachments...
JBuildozer,1.4.1,SQL Injection
JBuildozer,1.4.1,SQL Injection...
NS Download Shop, 2.2.6, SQL Injection
NS Download Shop, 2.2.6, SQL Injection Resolution: update to 2.2.8 Update notice: https://nswd.co/extensions/help-desk/security-release-v2-2-8...
[20180507] - Core - Session deletion race condition
A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated...
[20171103] - Core - Information Disclosure
A logic bug in comfields exposed read-only information about a site's custom fields to unauthorized users...
[20170704] - Core - Installer: Lack of Ownership Verification
The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control...
Directorix Directory Manager,1.1.1,SQL Injection
Directorix Directory Manager,1.1.1,SQL Injection...
Joomloc-lite by joomloc.fr,1.3.3,SQL Injection
Joomloc-lite by joomloc.fr, 1.3.3, SQL Injection Resolution: update to 1.4.1 Update Notice URL http://www.joomloc.fr.nf/telecharger/file/joomloc-lite-free-3.html...
Google Map Store Locator by Matamko,4.0,SQL Injection
Google Map Store Locator by Matamko, 4.0, SQL Injection...
Huge IT Portfolio Gallery 1.0.7 and previous
Huge IT Portfolio Gallery 1.0.7 and previous Security updates connected with CSRF and XSS resolution: update to 1.1.0...
K2,2.7.0,XSS (Cross Site Scripting)
K2,2.7.0,XSS Cross Site Scripting resolution: update to 2.7.1 update notice url: https://getk2.org/blog/2571-k2-v271-released Note that the VEL do not agree with the developer's assessment that XSS vulnerability is low priority...
Payplans SQLi
SQL Injection In PayPlans. readybytes developer update notice. http://www.readybytes.net/blog/item/payplans-sql-injection-blog.html Community notified report...
[20170405] - Core - XSS Vulnerability
Inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component...
AP Portfolio [mod_ap_portfolio], 3.3 and below, XSS (Cross Site Scripting)
AP Portfolio modapportfolio, 3.3.1 and below, XSS Cross Site Scripting Extension includes vulnerable JS library prettyPhoto Vulnerability fixed in version 3.3.2 Update notice:http://aplikko.com/joomla-extensions/ap-portfolio...
JDownloads
unauthorized file upload vulnerable versions: below 1.9.1.6 Joomla 2.5 and below 1.9.2.11 Joomla 3 security release announcement: http://www.jdownloads.com/index.php?option=comcontent=article=231:urgent-security-update-for-19-series=51:news Note that the developer did not inform the VEL...
Joomla Multicalendar, 5.3.2 and previous versions,
Joomla Multicalendar, 5.3.2 and previous versions, XSS Cross Site Scripting UpdateNoticeURL http://www.joomlacalendars.com/faq/multi-view-calendar-for-joomlaq39...
plg_highlight_content, 1.5 and previous
plghighlightcontent, 1.5 and previious versions, XSS Cross Site Scripting update notice: http://www.jonijnm.es/web/descargas/category/9-highlight-code.html...
Google Maps plugin for Joomla, pre 3.1 and 2.20,
Google Maps plugin for Joomla, 3.1 and 2.20, XSS Cross Site Scripting joomla-base reumer.net developer statement A SECURITY RELEASE 3.1 of plugin Google Maps by Reumer is released and this must be applied to your Joomla installation...
[20140301] - Core - SQL Injection
Inadequate escaping leads to SQL injection vulnerability...
spider contact lite, sqli
spider contact lite , , as per http://vel.joomla.org/vel-blog/976-spider-contacts-1-3-3.html Extension Update Details We have fixed the vulnerability on Spider Contacts Lite. We have changed the version to 1.3.4 on JED and also added corresponding text to the description. UpdateNoticeURL...
[20121001] - Core - XSS Vulnerability
Typographical error leads to XSS vulnerability in language search component...
[20120201] - Core - Information Disclosure
Inadequate validation leads to information disclosure in administrator...
[20111101] - Core - XSS Vulnerability
Inadequate filtering leads to XSS vulnerability in back end...
[20111002] - Core - Information Disclosure
Inadequate error checking causes potential information disclosure...
[20091103] - Core - XML File Read Issue
It is possible to read the contents of an extension's XML file and find the version number of the installed extension. This could allow people to exploit a known security flaws for a specific version of an extension...
[20090605] - Core - Frontend XSS - PHP_SELF not properly filtered
An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser...
[20080901] - Core - JRequest Variable Injection
A flaw in JRequest exists where variables set with JRequest::setVar are not cleaned when fetching the variable at a later point in the request. This can result in variable injection unwanted characters injected into returned data...
Convert Forms, 4.4.10, XSS (Cross Site Scripting)
New 5.0 Update details: All XSS and SQL reported issues have been fixed in the latest release 5.0 Update URL: https://www.tassos.gr/releases/convert-forms/convert-forms-5-0-0 Changelog URL: https://www.tassos.gr/releases/convert-forms/convert-forms-5-0-0...
[20250201] - Core - SQL injection vulnerability in Scheduled Tasks component
Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of comscheduler...
[20240202] - Core - Open redirect in installation application
Inadequate parsing of URLs could result into an open redirect...
jCart for OpenCart, jCart for OpenCart 3.0.3.19, XSS (Cross Site Scripting)
Here is the link on our site: https://extensions.soft-php.com/support/latest-news/79-joocart-jcart-30325-release-notice.html...
[20220304] - Core - Missing input validation within com_fields class inputs
Lack of input validation could allow an XSS attack using comfields...
acymailing, 6.9.2,Other
acymailing, 6.9.2,Other Update to version 6.9.2 Developer did not inform the VEL team...
[20200101] - Core - CSRF in batch actions
Missing token checks in the batch actions of various components causes CSRF vulnerabilities...
oziogallery,5.0.1,XSS (Cross Site Scripting)
oziogallery,5.0.1,XSS Cross Site Scripting Update Notice URL https://www.facebook.com/groups/oziogallery/permalink/1588619457938122/ Change log Url https://www.opensourcesolutions.es/en/ext/ozio-gallery.htmlChangelog...
All Regular Labs extensions with editor buttons
All Regular Labs extensions with editor buttons, versions before 7 September 2018, cross site scripting XSS:- - Articles Anywhere - Conditional Content - Dummy Content - Modals - Modules Anywhere - Sliders - Snippets - Tabs - Tooltips The editor button popup urls could potentially be used...
JCE Editor,2.6.25, XSS (Cross Site Scripting)
JCE Editor Pro, Version 2.6.25 only, XSS Cross Site Scripting Resolution: update to 2.6.26 Update notice: https://www.joomlacontenteditor.net/news/jce-pro-2-6-26-released...
HDW Player,4.0.0, RCE
HDW Player,4.0.0 and all other versions, remote code execution Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that th...
Ajax Quiz by Webkul,2.0,SQL Injection
Ajax Quiz by Webkul, 2.0 and previous, SQL Injection Resolution: update to version 2.1 Update notice: https://store.webkul.com/AjaxQuiz.html...
HikaShop Business,3.1.0,SQL Injection
HikaShop Business,3.1.0,SQL Injection new version number 3.1.1 Update Notice URL https://www.hikashop.com/home/blog/373-security-release-for-hikashop-business.html...
[20170705] - Core - XSS Vulnerability
Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components...
Membership Pro and other OS Solution extensions
Os Solution products have fixed an issue in the Paypal payment gateway in five of their extensions and made new releases to fix it:- 1. Events Booking version 2.14.2 https://www.joomdonation.com/forum/events-booking-general-discussion/57320-events-booking-version-2-14-2-released.html 2...
[20170403] - Core - XSS Vulnerability
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components...
Virtuemart 3.0.10 and previous
XSS Resolution: update to 3.0.12 or 2.6.22 for VM2 users Update notice: http://virtuemart.net/news/latest-news/473-security-release-virtuemart-3-0-12 Note that developer did not inform the VEL...
JMS Support Online module, 2.0.0, XSS (Cross Site Scripting)
JMS Support Online module,2.0.0,XSS Cross Site Scripting...
Huge IT Slider,1.0.9,SQL Injection
Huge IT Slider,1.0.9,SQL Injection Resolution: update to 1.1.0 update notice: https://huge-it.com/joomla-extensions-security-notice/...
[20170701] - Core - Information Disclosure
Improper cache invalidation leads to disclosure of form contents...