Joomla! Security Vulnerabilities and Issues — Page 4 of Joomla! CVE List

Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and list the privileges of arbitrary users via unspecified vectors.

4CVSS6.5AI score0.00005EPSS

CVE•added 2018/10/09 9:29 p.m.•55 views

CVE-2018-17858

An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.

8.8CVSS8.6AI score0.00143EPSS

CVE•added 2020/07/15 4:15 p.m.•55 views

CVE-2020-15695

An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.

6.8CVSS6.2AI score0.00006EPSS

CVE•added 2020/07/15 4:15 p.m.•55 views

CVE-2020-15697

An issue was discovered in Joomla! through 3.9.19. Internal read-only fields in the User table class could be modified by users.

4.3CVSS4.7AI score0.00009EPSS

CVE•added 2021/03/04 6:15 p.m.•55 views

CVE-2021-26027

An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article.

5.3CVSS5.6AI score0.00014EPSS

CVE•added 2021/07/07 11:15 a.m.•55 views

CVE-2021-26037

An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.

5.3CVSS5.6AI score0.00009EPSS

CVE•added 2021/07/07 11:15 a.m.•55 views

CVE-2021-26039

An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.

6.1CVSS6.1AI score0.02166EPSS

CVE•added 2021/06/21 11:15 p.m.•54 views

CVE-2010-1434

Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vuln...

7.5CVSS7.6AI score0.00006EPSS

CVE•added 2013/05/03 11:57 a.m.•54 views

CVE-2013-3267

Cross-site scripting (XSS) vulnerability in the highlighter plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00021EPSS

CVE•added 2014/10/08 7:55 p.m.•54 views

CVE-2014-6631

Cross-site scripting (XSS) vulnerability in com_media in Joomla! 3.2.x before 3.2.5 and 3.3.x before 3.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00028EPSS

CVE•added 2018/08/29 3:29 a.m.•54 views

CVE-2018-15880

An issue was discovered in Joomla! before 3.8.12. Inadequate output filtering on the user profile page could lead to a stored XSS attack.

5.4CVSS6.8AI score0.00171EPSS

CVE•added 2018/10/09 9:29 p.m.•54 views

CVE-2018-17859

An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms.

4.3CVSS4.9AI score0.00058EPSS

CVE•added 2019/03/12 6:29 p.m.•54 views

CVE-2019-9712

An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS.

6.1CVSS6.3AI score0.00026EPSS

CVE•added 2020/04/21 5:15 p.m.•54 views

CVE-2020-11889

An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.

5.3CVSS5.2AI score0.00009EPSS

CVE•added 2020/08/26 10:15 p.m.•54 views

CVE-2020-24599

An issue was discovered in Joomla! before 3.9.21. Lack of escaping in mod_latestactions allows XSS attacks.

6.1CVSS5.9AI score0.00855EPSS

CVE•added 2011/07/27 8:55 p.m.•53 views

CVE-2011-2891

Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488.

5CVSS6AI score0.00107EPSS

CVE•added 2012/09/06 9:55 p.m.•53 views

CVE-2012-1612

Cross-site scripting (XSS) vulnerability in the update manager in Joomla! 2.5.x before 2.5.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00011EPSS

CVE•added 2012/10/31 4:55 p.m.•53 views

CVE-2012-4531

Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00011EPSS

CVE•added 2013/05/03 11:57 a.m.•53 views

CVE-2013-3059

Cross-site scripting (XSS) vulnerability in the Voting plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00018EPSS

CVE•added 2014/10/08 7:55 p.m.•53 views

CVE-2014-7984

Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication.

7.5CVSS6.8AI score0.0019EPSS

CVE•added 2015/12/16 9:59 p.m.•53 views

CVE-2015-8563

Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8CVSS7.1AI score0.00006EPSS

CVE•added 2018/05/22 3:29 p.m.•53 views

CVE-2018-11327

An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission.

4.3CVSS4.8AI score0.00015EPSS

CVE•added 2018/01/30 5:29 p.m.•53 views

CVE-2018-6379

In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability.

6.1CVSS5.9AI score0.0312EPSS

CVE•added 2019/01/16 8:29 a.m.•53 views

CVE-2019-6262

An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS.

5.4CVSS5.5AI score0.00015EPSS

CVE•added 2021/03/04 6:15 p.m.•53 views

CVE-2021-23129

An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues.

6.1CVSS6.4AI score0.02951EPSS

CVE•added 2021/05/26 11:15 a.m.•53 views

CVE-2021-26032

An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.

6.1CVSS5.8AI score0.0161EPSS

CVE•added 2025/01/07 5:15 p.m.•53 views

CVE-2024-40747

Various module chromes didn't properly process inputs, leading to XSS vectors.

6.1CVSS6AI score0.00003EPSS

CVE•added 2021/06/21 11:15 p.m.•52 views

CVE-2010-1432

Joomla! Core is prone to an information disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.

7.5CVSS7.2AI score0.00008EPSS

CVE•added 2012/10/31 4:55 p.m.•52 views

CVE-2012-4532

Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl/default.php in the Language Switcher module for Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party ...

4.3CVSS5.9AI score0.00022EPSS

CVE•added 2017/07/17 9:29 p.m.•52 views

CVE-2017-9934

Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.

6.1CVSS6.3AI score0.00375EPSS

CVE•added 2019/02/12 6:29 p.m.•52 views

CVE-2019-7742

An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file types and browser-side MIME-type sniffing, causes an XSS attack vector.

6.1CVSS6.2AI score0.0013EPSS

CVE•added 2019/03/12 6:29 p.m.•52 views

CVE-2019-9714

An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS.

6.1CVSS6.3AI score0.00337EPSS

CVE•added 2020/07/15 4:15 p.m.•52 views

CVE-2020-15699

An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration.

5.3CVSS5.3AI score0.00008EPSS

CVE•added 2021/08/24 3:15 p.m.•52 views

CVE-2021-26040

An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.

9.1CVSS9.2AI score0.00006EPSS

CVE•added 2015/07/14 4:59 p.m.•51 views

CVE-2015-5397

Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload code via unknown vectors.

6.8CVSS6.7AI score0.00028EPSS

CVE•added 2016/01/12 8:59 p.m.•51 views

CVE-2015-8769

SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.

7.5CVSS7.6AI score0.00599EPSS

CVE•added 2017/04/25 6:59 p.m.•51 views

CVE-2017-7989

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

6.5CVSS6.2AI score0.00006EPSS

CVE•added 2020/03/16 4:15 p.m.•51 views

CVE-2020-10240

An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

5.3CVSS5.3AI score0.0003EPSS

CVE•added 2024/08/20 4:15 p.m.•51 views

CVE-2024-27186

The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

6.1CVSS5.8AI score0.0001EPSS

CVE•added 2024/08/20 4:15 p.m.•51 views

CVE-2024-40743

The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

6.1CVSS5.8AI score0.0001EPSS

CVE•added 2011/11/23 6:55 p.m.•50 views

CVE-2011-4332

Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.9AI score0.00022EPSS

CVE•added 2012/12/03 9:55 p.m.•50 views

CVE-2012-1598

Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient randomness" and a "password reset vulnerability."

7.5CVSS6.7AI score0.01457EPSS

CVE•added 2013/05/03 11:57 a.m.•50 views

CVE-2013-3242

plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors.

5.5CVSS6.5AI score0.00175EPSS

CVE•added 2014/10/08 7:55 p.m.•50 views

CVE-2014-7982

Cross-site scripting (XSS) vulnerability in Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.0002EPSS

CVE•added 2020/03/16 4:15 p.m.•50 views

CVE-2020-10241

An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.

8.8CVSS8.5AI score0.00037EPSS

CVE•added 2013/02/13 1:55 a.m.•49 views

CVE-2013-1454

Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to "Coding errors."

5CVSS6.1AI score0.00287EPSS

Total number of security vulnerabilities274