192 matches found
CVE-2020-35610
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.
CVE-2021-23124
An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.
CVE-2018-12712
An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion.
CVE-2018-8045
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.
CVE-2020-8420
An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
CVE-2025-25227
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
CVE-2019-18674
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure.
CVE-2020-10243
An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Featured Articles frontend menutype.
CVE-2022-27913
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
CVE-2021-26028
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path.
CVE-2020-13760
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2010-1435
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1....
CVE-2016-9836
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the .php6, .php7, .phtml, and .phpt extensions. Additionally, J...
CVE-2020-24598
An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open redirect.
CVE-2024-40749
Improper Access Controls allows access to protected views.
CVE-2011-2710
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject ...
CVE-2018-17855
An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself.
CVE-2020-11891
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
CVE-2020-13762
In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.
CVE-2024-21729
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
CVE-2017-7985
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.
CVE-2019-11809
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
CVE-2020-11890
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration.
CVE-2021-23128
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.
CVE-2021-23131
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager.
CVE-2019-6264
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability.
CVE-2021-26030
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
CVE-2018-11328
An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in an XSS vulnerability.
CVE-2019-15028
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
CVE-2020-35612
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
CVE-2016-9837
An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in the Beez3 layout override of the com_content article view allow users to view articles that should not be publicly accessible, as demonstrated by an index.php?op...
CVE-2019-18650
An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
CVE-2021-23123
An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.
CVE-2024-21730
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
CVE-2024-26279
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
CVE-2018-11325
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.
CVE-2020-10238
An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
CVE-2023-23751
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
CVE-2020-13763
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.
CVE-2020-35615
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
CVE-2010-1433
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unaut...
CVE-2018-11323
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-12711
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the curren...
CVE-2019-7744
An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability.
CVE-2022-27912
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
CVE-2023-23754
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
CVE-2012-1563
Joomla! before 2.5.3 allows Admin Account Creation.
CVE-2018-6377
In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox
CVE-2024-26278
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
CVE-2018-11322
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.