Joomla! Security Vulnerabilities and Issues — Page 3 of Joomla! CVE List

Lucene search

JoomlaJoomla!

274 matches found

CVE•added 2023/05/30 5:15 p.m.•74 views

CVE-2023-23754

An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

6.1CVSS6AI score0.00016EPSS

CVE•added 2024/07/09 5:15 p.m.•74 views

CVE-2024-21731

Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.

6.1CVSS5.9AI score0.00038EPSS

CVE•added 2018/10/09 9:29 p.m.•73 views

CVE-2018-17857

An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation.

4.3CVSS4.8AI score0.0002EPSS

CVE•added 2018/01/30 5:29 p.m.•73 views

CVE-2018-6377

In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox

6.1CVSS6AI score0.40059EPSS

CVE•added 2024/07/09 5:15 p.m.•73 views

CVE-2024-26278

The Custom Fields component not correctly filter inputs, leading to a XSS vector.

6.1CVSS5.9AI score0.00012EPSS

CVE•added 2018/05/22 3:29 p.m.•72 views

CVE-2018-11322

An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.

7.5CVSS7.6AI score0.00219EPSS

CVE•added 2020/12/28 8:15 p.m.•72 views

CVE-2020-35612

An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.

7.5CVSS7.5AI score0.00013EPSS

CVE•added 2013/10/09 2:54 p.m.•71 views

CVE-2013-5576

administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot...

6.8CVSS6.3AI score0.53436EPSS

Web

CVE•added 2014/10/08 7:55 p.m.•71 views

CVE-2014-6631

Cross-site scripting (XSS) vulnerability in com_media in Joomla! 3.2.x before 3.2.5 and 3.3.x before 3.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00028EPSS

CVE•added 2018/08/29 3:29 a.m.•71 views

CVE-2018-15882

An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.

9.8CVSS9.2AI score0.00608EPSS

CVE•added 2018/05/22 3:29 p.m.•71 views

CVE-2018-6378

In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager.

6.1CVSS6AI score0.01889EPSS

CVE•added 2019/04/10 7:29 p.m.•71 views

CVE-2019-10946

An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.

7.5CVSS6.8AI score0.00048EPSS

CVE•added 2021/07/07 11:15 a.m.•71 views

CVE-2021-26035

An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability.

6.1CVSS6.1AI score0.02166EPSS

CVE•added 2022/11/08 7:15 p.m.•71 views

CVE-2022-27914

An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.

6.1CVSS6.2AI score0.00047EPSS

CVE•added 2016/12/16 9:59 a.m.•70 views

CVE-2016-9837

An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in the Beez3 layout override of the com_content article view allow users to view articles that should not be publicly accessible, as demonstrated by an index.php?op...

7.5CVSS8.2AI score0.0001EPSS

Web

CVE•added 2018/01/30 5:29 p.m.•70 views

CVE-2018-6380

In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

6.1CVSS6.2AI score0.02321EPSS

CVE•added 2019/02/12 6:29 p.m.•70 views

CVE-2019-7741

An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS.

6.1CVSS6.3AI score0.00069EPSS

CVE•added 2023/02/01 10:15 p.m.•70 views

CVE-2023-23751

An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.

4.3CVSS4.4AI score0.00005EPSS

CVE•added 2013/05/03 11:57 a.m.•69 views

CVE-2013-3056

Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and delete the private messages of arbitrary users via unspecified vectors.

4CVSS6.5AI score0.00016EPSS

CVE•added 2017/11/10 2:29 a.m.•69 views

CVE-2017-16633

In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.

4.3CVSS4.6AI score0.0003EPSS

CVE•added 2018/05/22 3:29 p.m.•69 views

CVE-2018-11325

An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.

9.8CVSS9.4AI score0.00114EPSS

CVE•added 2018/01/30 5:29 p.m.•69 views

CVE-2018-6376

In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

9.8CVSS9.6AI score0.06174EPSS

CVE•added 2020/07/15 4:15 p.m.•69 views

CVE-2020-15698

An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information screen could expose Redis or proxy credentials

5.3CVSS5.3AI score0.00011EPSS

CVE•added 2021/03/04 6:15 p.m.•69 views

CVE-2021-23126

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.

5.3CVSS6.1AI score0.00011EPSS

CVE•added 2021/03/04 6:15 p.m.•69 views

CVE-2021-23130

An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues.

6.1CVSS6.4AI score0.02951EPSS

CVE•added 2021/03/04 6:15 p.m.•69 views

CVE-2021-26029

An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field.

5.3CVSS5.5AI score0.00017EPSS

CVE•added 2022/10/25 7:15 p.m.•69 views

CVE-2022-27912

An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.

5.3CVSS5.4AI score0.00008EPSS

CVE•added 2017/04/25 6:59 p.m.•68 views

CVE-2017-7987

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.

6.1CVSS6AI score0.0001EPSS

CVE•added 2018/05/22 3:29 p.m.•68 views

CVE-2018-11326

An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.

4.8CVSS5.1AI score0.00066EPSS

CVE•added 2019/01/16 8:29 a.m.•68 views

CVE-2019-6261

An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability.

6.1CVSS5.7AI score0.00429EPSS

CVE•added 2019/02/12 6:29 p.m.•68 views

CVE-2019-7739

An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this.

6.1CVSS6.3AI score0.00074EPSS

CVE•added 2019/03/12 6:29 p.m.•68 views

CVE-2019-9711

An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS.

6.1CVSS6.3AI score0.00368EPSS

CVE•added 2020/06/02 8:15 p.m.•68 views

CVE-2020-13763

In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.

7.5CVSS7.4AI score0.00011EPSS

CVE•added 2021/05/26 11:15 a.m.•68 views

CVE-2021-26033

An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.

6.5CVSS6.4AI score0.00009EPSS

CVE•added 2024/08/20 4:15 p.m.•68 views

CVE-2024-27184

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..

6.1CVSS6.6AI score0.00005EPSS

CVE•added 2024/08/20 4:15 p.m.•68 views

CVE-2024-27187

Improper Access Controls allows backend users to overwrite their username when disallowed.

7.5CVSS6.5AI score0.00003EPSS

CVE•added 2021/06/21 11:15 p.m.•67 views

CVE-2010-1433

Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unaut...

9.8CVSS9.4AI score0.00017EPSS

CVE•added 2020/01/15 1:15 p.m.•67 views

CVE-2012-1563

Joomla! before 2.5.3 allows Admin Account Creation.

7.5CVSS7.5AI score0.00421EPSS

Web

CVE•added 2013/02/13 1:55 a.m.•67 views

CVE-2013-1453

plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via the highlight paramet...

7.5CVSS7.6AI score0.00051EPSS

Web

CVE•added 2017/04/25 6:59 p.m.•67 views

CVE-2017-7984

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.

6.1CVSS5.8AI score0.0001EPSS

CVE•added 2018/05/22 3:29 p.m.•67 views

CVE-2018-11323

An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.

8.8CVSS8.5AI score0.0062EPSS

CVE•added 2018/08/29 3:29 a.m.•67 views

CVE-2018-15881

An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.

7.5CVSS7.4AI score0.0005EPSS

CVE•added 2019/03/12 6:29 p.m.•67 views

CVE-2019-9713

An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.

7.5CVSS7.4AI score0.00025EPSS

CVE•added 2013/05/03 11:57 a.m.•66 views

CVE-2013-3057

Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and list the privileges of arbitrary users via unspecified vectors.

4CVSS6.5AI score0.00005EPSS

CVE•added 2018/10/09 9:29 p.m.•66 views

CVE-2018-17858

An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.

8.8CVSS8.6AI score0.00136EPSS

CVE•added 2018/10/09 9:29 p.m.•66 views

CVE-2018-17859

An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms.

4.3CVSS4.9AI score0.00024EPSS

CVE•added 2019/03/12 6:29 p.m.•66 views

CVE-2019-9712

An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS.

6.1CVSS6.3AI score0.00028EPSS

CVE•added 2020/03/16 4:15 p.m.•66 views

CVE-2020-10242

An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks.

6.1CVSS5.9AI score0.01258EPSS

CVE•added 2020/07/15 4:15 p.m.•66 views

CVE-2020-15696

An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image.

6.1CVSS5.8AI score0.02144EPSS

CVE•added 2020/07/15 4:15 p.m.•66 views

CVE-2020-15697

An issue was discovered in Joomla! through 3.9.19. Internal read-only fields in the User table class could be modified by users.

4.3CVSS4.7AI score0.00009EPSS

Total number of security vulnerabilities274