Joomla! Security Vulnerabilities and Issues — Joomla! CVE List

Lucene search

JoomlaJoomla!

14 matches found

CVE•added 2016/11/04 9:59 p.m.•136 views

CVE-2016-8870

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

8.1CVSS8.7AI score0.91921EPSS

CVE•added 2019/08/05 1:15 a.m.•84 views

CVE-2019-14654

In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.

8.8CVSS8.8AI score0.00046EPSS

CVE•added 2020/03/16 4:15 p.m.•82 views

CVE-2020-10239

An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

8.8CVSS8.8AI score0.01791EPSS

CVE•added 2020/01/28 9:15 p.m.•82 views

CVE-2020-8419

An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities.

8.8CVSS8.6AI score0.00006EPSS

CVE•added 2018/06/26 7:29 p.m.•81 views

CVE-2018-12712

An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion.

8.8CVSS8.6AI score0.01882EPSS

CVE•added 2018/03/15 1:29 a.m.•81 views

CVE-2018-8045

In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.

8.8CVSS8.8AI score0.66389EPSS

CVE•added 2020/01/28 9:15 p.m.•78 views

CVE-2020-8420

An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.

8.8CVSS8.5AI score0.00037EPSS

CVE•added 2020/06/02 8:15 p.m.•75 views

CVE-2020-13760

In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.

8.8CVSS8.5AI score0.00008EPSS

CVE•added 2018/10/09 9:29 p.m.•72 views

CVE-2018-17855

An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself.

8.8CVSS8.5AI score0.00485EPSS

CVE•added 2019/11/06 2:15 a.m.•67 views

CVE-2019-18650

An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.

8.8CVSS8.5AI score0.00006EPSS

CVE•added 2018/05/22 3:29 p.m.•66 views

CVE-2018-11323

An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.

8.8CVSS8.5AI score0.0062EPSS

CVE•added 2017/08/02 2:29 p.m.•59 views

CVE-2017-11364

The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.

8.8CVSS8.4AI score0.00125EPSS

CVE•added 2018/10/09 9:29 p.m.•55 views

CVE-2018-17858

An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.

8.8CVSS8.6AI score0.00174EPSS

CVE•added 2020/03/16 4:15 p.m.•50 views

CVE-2020-10241

An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.

8.8CVSS8.5AI score0.00037EPSS