[20100423] - Core - Negative Values for Limit and Offset

If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system...

[20100423] - Core - Password Reset Tokens

When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability...

[20100423] - Core - Installer Migration Script

The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server...

[20091103] - Core - XML File Read Issue

It is possible to read the contents of an extension's XML file and find the version number of the installed extension. This could allow people to exploit a known security flaws for a specific version of an extension...

[20091103] - Core - Front-End Editor Issue

When logged into the front end with Author access, it was possible to replace an article written by another user...

[20090723] - Core - com_mailto Timeout Issue

In commailto, it was possible to bypass timeout protection against sending automated emails...

[20090722] - Core - File Upload

Tiny browser included with TinyMCE 3.0 editor allowed files to be uploaded and removed without logging in...

[20090722] - Core - Missing JEXEC Check

Some files were missing the check for JEXEC. These scripts will then expose internal path information of the host...

[20090604] - Core - Frontend XSS - HTTP_REFERER not properly filtered

An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTPREFERER variable is not properly parsed...

[20090606] - Core - Missing JEXEC Check

Some files were missing the check for JEXEC. These scripts will then expose internal path information of the host...

[20090605] - Core - Frontend XSS - PHP_SELF not properly filtered

An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser...

[20090603] - Core - Frontend XSS

Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel...

[20090601] - Core - com_users XSS

A XSS vulnerability exists in the user view of comusers in the administrator panel...

[20090602] - Core - ja_purity XSS

A XSS vulnerability exists in the JAPurity template which ships with Joomla! 1.5...

[20090302] - Core - com_content XSS

A XSS vulnerability exists in the category view of comcontent...

[20090301] - Core - Multiple XSS/CSRF

A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include comadmin, commedia, comsearch. Both comadmin and comsearch contain XSS vulnerabilities, and commedia contains 2 CSRF vulnerabilities...

[20090102] - Core - plg_xstandard Directory Traversal

A crafted request can cause disclosure of the directory structure on the server including any directory that php has access to...

[20090101] - Core - JSession SSL Session Disclosure

When running a site under SSL ONLY the entire site is forced to be under ssl, Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session. Please note that all data is still transferred securely...

[20081102] - Core - com_weblinks XSS vulnerability

comweblinks allows raw HTML into the title and description tags for weblink submissions from both the administrator and site submission forms...

[20081101] - Core - com_content XSS vulnerability

The defaults on comcontent article submission allow entry of dangerous HTML tags script, etc. This only affects users with access level Author or higher, and only if you have not set filtering options in comcontent configuration...

[20080901] - Core - JRequest Variable Injection

A flaw in JRequest exists where variables set with JRequest::setVar are not cleaned when fetching the variable at a later point in the request. This can result in variable injection unwanted characters injected into returned data...

[20080903] - Core - com_mailto Spam

The mailto component does not verify validity of the URL prior to sending...

[20080904] - Core - Redirect Spam

Several components utilize a passed in URL to redirect to after processing. These URLs are not validated prior to the redirect. A crafted URL can cause the system to redirect to a spam or phishing site...

[20080902] - Core - Random Number Generation Flaw

A flaw with the random number generation exists which vastly reduces the entropy of system used random functions. This impacts system generated tokens and passwords. The fix increases entropy, and greatly reduces the chance of a generated token being guessed...

[20080801] - Core - Password Remind Functionality

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user lowest id. Typically, this is an administrator user. Note, that changing the first users username may...