Joomla! Security Vulnerabilities and Issues — Page 5 of Joomla! CVE List

Lucene search

JoomlaJoomla!

274 matches found

CVE•added 2017/04/25 6:59 p.m.•49 views

CVE-2017-8057

In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused full path disclosures on systems with enabled error reporting.

5.3CVSS5.6AI score0.00008EPSS

CVE•added 2018/05/22 3:29 p.m.•49 views

CVE-2018-11324

An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.

5.9CVSS5.9AI score0.00034EPSS

CVE•added 2014/10/08 7:55 p.m.•48 views

CVE-2014-7229

Unspecified vulnerability in Joomla! before 2.5.4 before 2.5.26, 3.x before 3.2.6, and 3.3.x before 3.3.5 allows attackers to cause a denial of service via unspecified vectors.

5CVSS6.5AI score0.00082EPSS

CVE•added 2017/04/25 6:59 p.m.•48 views

CVE-2017-7983

In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers.

5.3CVSS5.6AI score0.00008EPSS

CVE•added 2017/04/25 6:59 p.m.•48 views

CVE-2017-7988

In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of form contents allows overwriting the author of an article.

5.3CVSS5.5AI score0.00006EPSS

CVE•added 2007/08/08 1:17 a.m.•47 views

CVE-2007-4189

Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in the (1) com_search, (2) com_content, and (3) mod_login components. NOTE: some of these details are obtained from third ...

4.3CVSS5.6AI score0.0002EPSS

CVE•added 2007/10/18 9:17 p.m.•47 views

CVE-2007-5577

Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Section Name form fields in the Section Manager component, or (3) multiple unspecified fields in New Menu Item.

4.3CVSS5.7AI score0.00038EPSS

CVE•added 2015/10/29 8:59 p.m.•47 views

CVE-2015-7857

SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.

7.5CVSS8.4AI score0.85485EPSS

CVE•added 2015/10/29 8:59 p.m.•47 views

CVE-2015-7858

SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.

7.5CVSS8.3AI score0.9338EPSS

CVE•added 2017/01/23 9:59 p.m.•47 views

CVE-2016-9081

Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors.

9.8CVSS9.2AI score0.00213EPSS

CVE•added 2021/05/26 11:15 a.m.•47 views

CVE-2021-26034

An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.

6.5CVSS6.4AI score0.00009EPSS

CVE•added 2007/08/08 1:17 a.m.•46 views

CVE-2007-4188

Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors.

9.3CVSS6.6AI score0.00077EPSS

CVE•added 2012/11/11 1:1 p.m.•46 views

CVE-2012-5827

Joomla! 2.5.x before 2.5.8 and 3.0.x before 3.0.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors involving "Inadequate protection."

4.3CVSS6.8AI score0.00012EPSS

CVE•added 2017/09/20 6:29 p.m.•46 views

CVE-2015-5608

Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1.

6.1CVSS6.2AI score0.00061EPSS

CVE•added 2015/10/29 8:59 p.m.•46 views

CVE-2015-7859

The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.

5CVSS6.2AI score0.00165EPSS

CVE•added 2009/05/01 4:30 p.m.•45 views

CVE-2009-1499

SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in index.php. NOTE: SecurityFocus states that this issue has been disputed by the vendor.

7.5CVSS8.7AI score0.00006EPSS

CVE•added 2014/10/20 2:55 p.m.•45 views

CVE-2012-2413

Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

4.3CVSS5.9AI score0.00035EPSS

CVE•added 2013/02/13 1:55 a.m.•45 views

CVE-2013-1455

Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to an "Undefined variable."

5CVSS6.1AI score0.00287EPSS

CVE•added 2013/12/29 4:25 a.m.•45 views

CVE-2013-5583

Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

4.3CVSS5.8AI score0.00023EPSS

CVE•added 2006/08/31 8:4 p.m.•44 views

CVE-2006-4468

Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via unspecified vectors involving the (1) mosMail, (2) JosIsValidEmail, and (3) josSpoofValue functions; (4) the lack of inclusion of globals.php in administrator/i...

6.8CVSS6.8AI score0.00026EPSS

CVE•added 2011/07/27 8:55 p.m.•44 views

CVE-2011-2488

Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors.

5CVSS6.1AI score0.00011EPSS

CVE•added 2011/07/27 8:55 p.m.•44 views

CVE-2011-2889

templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488.

5CVSS6AI score0.00011EPSS

CVE•added 2006/04/21 10:2 a.m.•43 views

CVE-2006-1957

The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter.

5CVSS6.8AI score0.00283EPSS

CVE•added 2011/09/23 11:55 p.m.•43 views

CVE-2011-3747

Joomla! 1.6.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by libraries/phpmailer/language/phpmailer.lang-joomla.php.

5CVSS6.3AI score0.00179EPSS

CVE•added 2013/05/03 11:57 a.m.•43 views

CVE-2013-3058

Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00021EPSS

CVE•added 2007/08/08 1:17 a.m.•42 views

CVE-2007-4190

CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and probably conduct HTTP response splitting attacks via CRLF sequences in the url parameter. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. NOTE: some o...

4.3CVSS5.9AI score0.00009EPSS

CVE•added 2011/01/18 6:3 p.m.•42 views

CVE-2010-4696

Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via the (1) filter_order or (2) filter_order_Dir parameter in a com_contact action to index.php, a different vulnerability than CVE-2010-4166. NOTE: the provenance of this ...

7.5CVSS8.3AI score0.00074EPSS

CVE•added 2012/09/06 7:55 p.m.•42 views

CVE-2012-0822

Cross-site scripting (XSS) vulnerability in Joomla! 1.6 and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0820.

4.3CVSS5.8AI score0.00015EPSS

CVE•added 2012/09/26 12:55 a.m.•42 views

CVE-2012-1116

SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5CVSS8.7AI score0.00119EPSS

CVE•added 2006/01/14 1:0 a.m.•41 views

CVE-2005-4650

Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resource consumption) via a large number of Search Mambots.

5.3CVSS7AI score0.00054EPSS

CVE•added 2011/07/27 8:55 p.m.•41 views

CVE-2011-2509

Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, a...

4.3CVSS5.8AI score0.00027EPSS

CVE•added 2020/02/04 1:15 p.m.•41 views

CVE-2011-3629

Joomla! core 1.7.1 allows information disclosure due to weak encryption

7.5CVSS7.2AI score0.00013EPSS

CVE•added 2012/09/06 7:55 p.m.•41 views

CVE-2012-0820

Cross-site scripting (XSS) vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0822.

4.3CVSS5.8AI score0.00015EPSS

CVE•added 2010/07/08 10:30 p.m.•40 views

CVE-2010-2679

SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.

7.5CVSS8.6AI score0.00023EPSS

CVE•added 2012/07/03 10:55 p.m.•40 views

CVE-2012-3828

Cross-site scripting (XSS) vulnerability in Joomla! 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the Host HTTP Header.

4.3CVSS5.9AI score0.00022EPSS

CVE•added 2014/10/08 7:55 p.m.•40 views

CVE-2014-7981

SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5CVSS8.7AI score0.00041EPSS

CVE•added 2015/10/29 8:59 p.m.•40 views

CVE-2015-7899

The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.

5CVSS6.2AI score0.00077EPSS

CVE•added 2006/08/31 8:4 p.m.•39 views

CVE-2006-4471

The Admin Upload Image functionality in Joomla! before 1.0.11 allows remote authenticated users to upload files outside of the /images/stories/ directory via unspecified vectors.

6.5CVSS6.6AI score0.00093EPSS

CVE•added 2011/01/18 6:3 p.m.•39 views

CVE-2010-4166

Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the filter_order parameter in a com_weblinks category action to index.php, (2) the filter_order_Dir parameter in a com_weblinks category action to index.php, or (3)...

7.5CVSS8.6AI score0.00024EPSS

CVE•added 2011/11/23 6:55 p.m.•39 views

CVE-2011-4321

The password reset functionality in Joomla! 1.5.x through 1.5.24 uses weak random numbers, which makes it easier for remote attackers to change the passwords of arbitrary users via unspecified vectors.

5CVSS7.1AI score0.00233EPSS

CVE•added 2012/10/07 9:55 p.m.•39 views

CVE-2011-4910

Cross-site scripting (XSS) vulnerability in Joomla! before 1.5.12 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

4.3CVSS5.9AI score0.00032EPSS

CVE•added 2012/09/06 7:55 p.m.•39 views

CVE-2012-0821

Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2012-0819.

5CVSS6.2AI score0.00016EPSS

CVE•added 2012/09/06 7:55 p.m.•39 views

CVE-2012-0835

Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to obtain sensitive information via unknown vectors related to "administrator."

5CVSS6.1AI score0.00011EPSS

CVE•added 2012/09/06 7:55 p.m.•39 views

CVE-2012-0837

Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to obtain the installation path via unspecified vectors related to "administrator."

5CVSS6.6AI score0.00011EPSS

CVE•added 2006/08/31 8:4 p.m.•38 views

CVE-2006-4472

Multiple unspecified vulnerabilities in Joomla! before 1.0.11 allow attackers to bypass user authentication via unknown vectors involving the (1) do_pdf command and the (2) emailform com_content task.

7.5CVSS7.5AI score0.00069EPSS

CVE•added 2009/07/07 7:0 p.m.•38 views

CVE-2008-6852

SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 beta 2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.

7.5CVSS8.7AI score0.00021EPSS

CVE•added 2010/10/28 12:0 a.m.•38 views

CVE-2010-3712

Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x before 1.5.21 and 1.6.x before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving "multiple encoded entities," as demonstrated by the query string to index.php in the com_weblinks or com_content compon...

4.3CVSS5.7AI score0.00039EPSS

CVE•added 2011/07/27 8:55 p.m.•38 views

CVE-2011-2890

The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-...

5CVSS6AI score0.00165EPSS

CVE•added 2012/10/07 9:55 p.m.•38 views

CVE-2011-4911

Joomla! before 1.5.12 does not perform a JEXEC check in unspecified files, which allows remote attackers to obtain the installation path via unspecified vectors.

5CVSS6.8AI score0.00411EPSS

CVE•added 2020/02/04 2:15 p.m.•38 views

CVE-2011-4912

Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.

5.3CVSS5.4AI score0.00006EPSS

Total number of security vulnerabilities274