Filtered by vendor Joomla
Subscribe
Total
920 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-21731 | 1 Joomla | 1 Joomla\! | 2024-08-16 | N/A | 6.1 MEDIUM |
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method. | |||||
CVE-2024-21729 | 1 Joomla | 1 Joomla\! | 2024-08-16 | N/A | 6.1 MEDIUM |
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field. | |||||
CVE-2024-21730 | 1 Joomla | 1 Joomla\! | 2024-08-16 | N/A | 5.4 MEDIUM |
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector. | |||||
CVE-2023-23752 | 1 Joomla | 1 Joomla\! | 2024-08-14 | N/A | 5.3 MEDIUM |
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | |||||
CVE-2006-4556 | 2 Joomla, Mambo | 2 Jim Component, Jim Component | 2024-08-07 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in index.php in the JIM component for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: another researcher has stated that the product distribution does not include an index.php file. Also, this might be related to CVE-2006-4242 | |||||
CVE-2006-4378 | 1 Joomla | 1 Rssxt Component | 2024-08-07 | 7.5 HIGH | N/A |
Multiple PHP remote file inclusion vulnerabilities in the Rssxt component for Joomla! (com_rssxt), possibly 2.0 Beta 1 or 1.0 and earlier, allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter in (1) pinger.php, (2) RPC.php, or (3) rssxt.php. NOTE: another researcher has disputed this issue, saying that the attacker can not control this parameter. In addition, as of 20060825, the original researcher has appeared to be unreliable with some other past reports. CVE has not performed any followup analysis with respect to this issue | |||||
CVE-2006-4269 | 2 Joomla, Mambo | 2 X-shop Component, X-shop Component | 2024-08-07 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in admin.x-shop.php in the x-shop component (com_x-shop) 1.7 and earlier for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: this issue has been disputed by third party researchers, stating that there is no mosConfig_absolute_path parameter and no admin.x-shop.php file in the reported package | |||||
CVE-2007-5389 | 2 Joomla, Swmenupro | 2 Joomla, Swmenufree | 2024-08-07 | 6.8 MEDIUM | N/A |
PHP remote file inclusion vulnerability in preview.php in the swMenuFree (com_swmenufree) 4.6 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: a reliable third party disputes this issue because preview.php tests a certain constant to prevent direct requests | |||||
CVE-2007-2196 | 2 Joomla, Mambo | 2 Jambook, Jambook | 2024-08-07 | 6.8 MEDIUM | N/A |
PHP remote file inclusion vulnerability in jambook.php in the Jambook (com_Jambook) 1.0 beta7 module for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: this issue has been disputed by a reliable third party because the jambook.php protects against direct request | |||||
CVE-2009-0380 | 3 Joomla, Mambo-foundation, Sigsiu.net | 3 Joomla, Mambo, Sobi2 | 2024-08-07 | 7.5 HIGH | N/A |
SQL injection vulnerability in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the bid parameter in a showbiz action to index.php, a different vector than CVE-2008-0607. NOTE: CVE disputes this issue, since neither "showbiz" nor "bid" appears in the source code for SOBI2 | |||||
CVE-2010-0158 | 2 Joomla, Joomlabamboo | 2 Joomla, Jb Simpla | 2024-08-07 | 7.5 HIGH | N/A |
SQL injection vulnerability in the JoomlaBamboo (JB) Simpla Admin template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to the com_content component, reachable through index.php. NOTE: the vendor disputes this report, saying: "JoomlaBamboo has investigated this report, and it is incorrect. There is no SQL injection vulnerability involving the id parameter in an article view, and there never was. JoomlaBamboo customers have no reason to be concerned about this report. | |||||
CVE-2024-26279 | 1 Joomla | 1 Joomla\! | 2024-07-19 | N/A | 6.1 MEDIUM |
The wrapper extensions do not correctly validate inputs, leading to XSS vectors. | |||||
CVE-2024-26278 | 1 Joomla | 1 Joomla\! | 2024-07-19 | N/A | 6.1 MEDIUM |
The Custom Fields component not correctly filter inputs, leading to a XSS vector. | |||||
CVE-2023-40626 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 7.5 HIGH |
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information. | |||||
CVE-2023-23754 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 6.1 MEDIUM |
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen. | |||||
CVE-2023-23755 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 7.5 HIGH |
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods. | |||||
CVE-2023-23751 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 4.3 MEDIUM |
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs. | |||||
CVE-2023-23750 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 6.3 MEDIUM |
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages. | |||||
CVE-2022-27911 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 5.3 MEDIUM |
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes. | |||||
CVE-2022-27912 | 1 Joomla | 1 Joomla\! | 2024-02-28 | N/A | 5.3 MEDIUM |
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests. |