[20240701] - Core - XSS in accessible media selection field

Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field...

osTicky2, , Other

This extension is abandoned and should be removed from your site...

[20240204] - Core - XSS in mail address outputs

Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components...

[20240203] - Core - XSS in media selection fields

Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions...

[20240201] - Core - Insufficient session expiration in MFA management views

Joomla! CMS versions 3.2.0-3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2...

[20240205] - Core - Inadequate content filtering within the filter code

Inadequate content filtering leads to XSS vulnerabilities in various components...

[20240202] - Core - Open redirect in installation application

Joomla! CMS versions 1.5.0 - 3.10.14-elts, 4.0.0-4.4.2, 5.0.0-5.0.2...

LazyDbBackup, 3.9.0, Other

LazyDbBackup Version: 4.0.8...

acymailing, pre 8.7.0 , Other

acymailing, pre 8.7.0 , Other multiple...

Solidres, 2.13.3, hub plugin XSS (Cross Site Scripting)

https://www.solidres.com/forum/report-bugs/12031-vulnerability-joomla-solidres-2-13-3-reflected-xss...

bagallery , , Other

Developer statement Old 1.1 / New 1.2 Update details: We have thoroughly tested all the code in our component to ensure it is free of any security issues. Update URL: https://bestaddon.com/product/ba-gallery/Changelog...

[20231101] - Core - Exposure of environment variables

Joomla! CMS versions 1.6.0-4.4.0, 5.0.0...

quickform, , Other

Developer states exploit is "hack yourself" scenario...

JC Dashboards, 1.3.10, Other

JCDashboards updated latest version V1.3.31 as this includes a fix for a possible security leak should your linux server not be configured correctly in certain circumstances. changelog | Download url ---|--- https://joomcode.com/jcmedia/comjcdashboards/versionhistory.html |...

LM-CUSTOM-ADMIN, , Other

Version: Old 2.7.3 / New 2.7.4 Update details: block cde php shellexec Update URL: https://lomart.fr/extensions-blog/38-modules-administrator/125-lm-custom-administrator Changelog URL:...

Virtual Classroom, , SQL Injection

Developer release blog https://blog.braincert.com/virtual-classroom-security-release-elevate-your-online-learning-on-wordpress-and-joomla/...

HikaShop Joomla Plugin, , SQL Injection

anyone with access to the order management in the backend of HikaShop to be able to use a MySQL injection to extract data from the database. "payment methods" restriction setting to custom fields of the "order" table in HikaShop 4.4.1, so prior versions of HikaShop are not impacted...

[20230502] - Core - Bruteforce prevention within the mfa screen

Joomla! CMS versions 4.2.0-4.3.1...

Visforms Base Package for Joomla!, 4, SQL Injection

Project: Visforms für Joomla 3 Extension: comvisforms Impact: Critical Severity: High Probability: Unkonwn Versions: 3.8.0 - 3.14.10 Exploit type: SQL Injection Reported Date: 2023-04-16 Fixed Date: 2023-04-19 CVE Number: CVE-2023-23753 Description An improper use of input filter allows...

JoomGallery, 3.6.1, SQL Injection

Vulnerability Type: 3rd party extension - SQL Injection Version: Old 3.6.1 / New 3.6.2 Update details: Fix vulnerability type SQL Injection. Update URL: https://www.en.joomgalleryfriends.net/news-3-6-2.html Changelog URL:...

[20230501] - Core - Open Redirects and XSS within the mfa selection

Joomla! CMS versions 4.2.0-4.3.1...

[20230201] - Core - Improper access check in webservice endpoints

Joomla! CMS versions 4.0.0-4.2.7...

J-BusinessDirectory, 5.7.7 and prior, Other

In the J-BusinessDirectory version 5.8.3 we have updated guzzlehttp to the latest version, 7.5.0 and to PSR 2.1.5...

[20230102] - Core - Missing ACL checks for com_actionlogs

Joomla! CMS versions 4.0.0-4.2.6...

LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login , 5.0.2, Other

Other : 5.0.2 Exploit Check developer for new releases...

[20230101] - Core - CSRF within post-installation messages

Joomla! CMS versions 4.0.0-4.2.6...

[20221101] - Core - RXSS through reflection of user input in com_media

Joomla! CMS versions 4.0.0-4.2.4...

[20221001] - Core - Disclosure of critical information in debug mode

Joomla 4 sites with publicly enabled debug mode exposed data of previous requests...

[20221002] - Core - RXSS through reflection of user input in headings

Joomla! CMS versions 4.0.0-4.2.3...

JKassa, 2.0.0, SQL Injection

JKassa, 2.0.0, SQL Injection Update to latest version https://jkassa.com/en/extensions/jkassa.html...

jCart for OpenCart, jCart for OpenCart 3.0.3.19, XSS (Cross Site Scripting)

Here is the link on our site: https://extensions.soft-php.com/support/latest-news/79-joocart-jcart-30325-release-notice.html...

EDocman, 1.23.3, XSS (Cross Site Scripting)

developer update https://joomdonation.com/forum/edocman/75400-01st-august-2023-new-version-1-24-7-xss-issue-fixed.html...

[20220801] - Core - Multiple Full Path Disclosures because of missing '_JEXEC or die check'

Multiple Full Path Disclosures because of missing 'JEXEC or die check' caused by the PSR12 changes done in 4.2.0. According to PROD2020/023 and in coordination with the JSST this has been patched in the public tracker vis 38615...

JUX Timetable x

JUX TimetableVersion: Old 1.0.4 / New 1.0.5 Update URL: https://extensions.joomla.org/extension/jux-timetable/ Download URL: https://demo.joomlaux.com/download/pkgjuxtimetable.zip...

[20220301] - Core - Zip Slip within the Tar extractor

Extracting an specifilcy crafted tar package could write files outside of the intended path...

adblock detector nordmograph

Malicious script New in 2.1 : Miner feature discontinued This is a security release for the 3.x series of Joomla! This release fixes one low level security issues...

[20220308] - Core - Inadequate content filtering within the filter code

Inadequate content filtering leads to XSS vulnerabilities in various components...

[20220307] - Core - Variable Tampering on JInput $_REQUEST data

Under specific circumstances, JInput pollutes method-specific input bags with $REQUEST data...

Balbooa Forms, 2.0.6 (not tested on others), SQL Injection

Balbooa Forms, 2.0.6 , SQL Injection...

[20220309] - Core - XSS attack vector through SVG

Possible XSS attack vector through SVG embedding in commedia...

[20210801] - Core - Insufficient access control for com_media deletion endpoint

The media manager does not correctly check the user's permissions before executing a file deletion command...

[20210705] - Core - XSS in com_media imagelist

Inadequate escaping in the imagelist view of commedia leads to a XSS vulnerability...

[20210702] - Core - DoS through usergroup table manipulation

Missing validation of input could lead to a broken usergroups table...

[20210704] - Core - Privilege escalation through com_installer

Install action in cominstaller lack the required hardcoded ACL checks for superusers, leading to various potential attack vectors. A default system is not affected cause by default cominstaller is limited to super users already...

[20210701] - Core - XSS in JForm Rules field

Inadequate escaping in the Rules field of the JForm API leads to a XSS vulnerability...

[20210503] - Core - CSRF in data download endpoints

A missing token check causes a CSRF vulnerability in data download endpoints in combanners and comsysinfo...

[20210502] - Core - CSRF in AJAX reordering endpoint

A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint...

[20220304] - Core - Missing input validation within com_fields class inputs

Lack of input validation could allow an XSS attack using comfields...

YooRecipe, All,

SQL injection vulnerability possibly all versions abandoned extension...

[20220306] - Core - Inadequate validation of internal URLs

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not...