Joomla! Security Vulnerabilities and Issues — Page 3 of Joomla! CVE List

Lucene search

JoomlaJoomla!

274 matches found

CVE•added 2021/06/21 11:15 p.m.•66 views

CVE-2010-1433

Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unaut...

9.8CVSS9.4AI score0.00017EPSS

CVE•added 2013/02/13 1:55 a.m.•66 views

CVE-2013-1453

plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via the highlight paramet...

7.5CVSS7.6AI score0.00051EPSS

CVE•added 2018/05/22 3:29 p.m.•66 views

CVE-2018-11323

An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.

8.8CVSS8.5AI score0.0062EPSS

CVE•added 2020/03/16 4:15 p.m.•66 views

CVE-2020-10238

An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.

7.5CVSS7.3AI score0.03125EPSS

CVE•added 2022/10/25 7:15 p.m.•66 views

CVE-2022-27912

An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.

5.3CVSS5.4AI score0.00007EPSS

CVE•added 2020/01/15 1:15 p.m.•65 views

CVE-2012-1563

Joomla! before 2.5.3 allows Admin Account Creation.

7.5CVSS7.5AI score0.00421EPSS

CVE•added 2020/12/28 8:15 p.m.•65 views

CVE-2020-35615

An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

6.8CVSS6.3AI score0.00004EPSS

CVE•added 2015/10/29 8:59 p.m.•64 views

CVE-2015-7297

SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.

7.5CVSS8.3AI score0.9338EPSS

CVE•added 2015/12/16 9:59 p.m.•64 views

CVE-2015-8564

Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal sequences in the XML install file in an extension package archive.

7.5CVSS7.1AI score0.00064EPSS

CVE•added 2018/06/26 7:29 p.m.•64 views

CVE-2018-12711

An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the curren...

6.1CVSS6AI score0.01238EPSS

CVE•added 2019/02/12 6:29 p.m.•64 views

CVE-2019-7744

An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability.

6.1CVSS6.1AI score0.0015EPSS

CVE•added 2023/05/30 5:15 p.m.•64 views

CVE-2023-23754

An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

6.1CVSS6AI score0.00016EPSS

CVE•added 2018/01/30 5:29 p.m.•63 views

CVE-2018-6377

In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox

6.1CVSS6AI score0.46615EPSS

CVE•added 2019/02/12 6:29 p.m.•63 views

CVE-2019-7740

An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector.

6.1CVSS6.2AI score0.0015EPSS

CVE•added 2024/07/09 5:15 p.m.•63 views

CVE-2024-26278

The Custom Fields component not correctly filter inputs, leading to a XSS vector.

6.1CVSS5.9AI score0.00006EPSS

CVE•added 2020/02/05 10:15 p.m.•62 views

CVE-2011-1151

Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters.

9.1CVSS9.5AI score0.0004EPSS

CVE•added 2017/07/17 9:29 p.m.•62 views

CVE-2017-9933

Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents.

7.5CVSS7.2AI score0.00045EPSS

CVE•added 2018/05/22 3:29 p.m.•62 views

CVE-2018-11322

An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.

7.5CVSS7.6AI score0.00219EPSS

CVE•added 2018/10/09 9:29 p.m.•62 views

CVE-2018-17857

An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation.

4.3CVSS4.8AI score0.00049EPSS

CVE•added 2018/08/29 3:29 a.m.•61 views

CVE-2018-15882

An issue was discovered in Joomla! before 3.8.12. Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.

9.8CVSS9.2AI score0.01174EPSS

CVE•added 2018/05/22 3:29 p.m.•61 views

CVE-2018-6378

In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager.

6.1CVSS6AI score0.01889EPSS

CVE•added 2019/02/12 6:29 p.m.•61 views

CVE-2019-7743

An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.

9.8CVSS9.4AI score0.01449EPSS

CVE•added 2022/11/08 7:15 p.m.•61 views

CVE-2022-27914

An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.

6.1CVSS6.2AI score0.00038EPSS

CVE•added 2024/07/09 5:15 p.m.•61 views

CVE-2024-21731

Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.

6.1CVSS5.9AI score0.0001EPSS

CVE•added 2018/01/30 5:29 p.m.•60 views

CVE-2018-6380

In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

6.1CVSS6.2AI score0.0312EPSS

CVE•added 2021/07/07 11:15 a.m.•60 views

CVE-2021-26035

An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability.

6.1CVSS6.1AI score0.02166EPSS

CVE•added 2013/05/03 11:57 a.m.•59 views

CVE-2013-3056

Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and delete the private messages of arbitrary users via unspecified vectors.

4CVSS6.5AI score0.00016EPSS

CVE•added 2017/08/02 2:29 p.m.•59 views

CVE-2017-11364

The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.

8.8CVSS8.4AI score0.00125EPSS

CVE•added 2019/04/10 7:29 p.m.•59 views

CVE-2019-10946

An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.

7.5CVSS6.8AI score0.00048EPSS

CVE•added 2019/02/12 6:29 p.m.•59 views

CVE-2019-7741

An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS.

6.1CVSS6.3AI score0.00064EPSS

CVE•added 2021/03/04 6:15 p.m.•59 views

CVE-2021-23126

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.

5.3CVSS6.1AI score0.00011EPSS

CVE•added 2021/03/04 6:15 p.m.•59 views

CVE-2021-23130

An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues.

6.1CVSS6.4AI score0.02951EPSS

CVE•added 2021/03/04 6:15 p.m.•59 views

CVE-2021-26029

An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field.

5.3CVSS5.5AI score0.00017EPSS

CVE•added 2017/04/25 6:59 p.m.•58 views

CVE-2017-7987

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.

6.1CVSS6AI score0.0001EPSS

CVE•added 2018/05/22 3:29 p.m.•58 views

CVE-2018-11326

An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.

4.8CVSS5.1AI score0.00066EPSS

CVE•added 2018/01/30 5:29 p.m.•58 views

CVE-2018-6376

In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

9.8CVSS9.6AI score0.07734EPSS

CVE•added 2020/07/15 4:15 p.m.•58 views

CVE-2020-15698

An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information screen could expose Redis or proxy credentials

5.3CVSS5.3AI score0.00011EPSS

CVE•added 2021/03/04 6:15 p.m.•58 views

CVE-2021-23127

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.

9.1CVSS9.2AI score0.00009EPSS

CVE•added 2024/08/20 4:15 p.m.•58 views

CVE-2024-27184

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..

6.1CVSS6.6AI score0.00005EPSS

CVE•added 2017/09/20 6:29 p.m.•57 views

CVE-2017-14595

In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.

4.3CVSS6.6AI score0.00071EPSS

CVE•added 2017/04/25 6:59 p.m.•57 views

CVE-2017-7984

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.

6.1CVSS5.8AI score0.0001EPSS

CVE•added 2018/08/29 3:29 a.m.•57 views

CVE-2018-15881

An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation.

7.5CVSS7.4AI score0.00218EPSS

CVE•added 2019/02/12 6:29 p.m.•57 views

CVE-2019-7739

An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this.

6.1CVSS6.3AI score0.00069EPSS

CVE•added 2021/05/26 11:15 a.m.•57 views

CVE-2021-26033

An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.

6.5CVSS6.4AI score0.00009EPSS

CVE•added 2017/11/10 2:29 a.m.•56 views

CVE-2017-16633

In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.

4.3CVSS4.6AI score0.0003EPSS

CVE•added 2017/11/10 2:29 a.m.•56 views

CVE-2017-16634

In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.

9.8CVSS9.5AI score0.00148EPSS

CVE•added 2019/01/16 8:29 a.m.•56 views

CVE-2019-6261

An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability.

6.1CVSS5.7AI score0.00368EPSS

CVE•added 2019/03/12 6:29 p.m.•56 views

CVE-2019-9711

An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS.

6.1CVSS6.3AI score0.00337EPSS

CVE•added 2019/03/12 6:29 p.m.•56 views

CVE-2019-9713

An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.

7.5CVSS7.4AI score0.00025EPSS

CVE•added 2020/03/16 4:15 p.m.•56 views

CVE-2020-10242

An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks.

6.1CVSS5.9AI score0.01258EPSS

Total number of security vulnerabilities274