Packagist (Composer) package
joomla/joomla-cms
pkg:composer/joomla/joomla-cms
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25227 | — | >= 5.0.0, < 5.2.6 | 5.2.6 | Apr 8, 2025 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | ||
| CVE-2019-16725 | — | >= 3.0.0, < 3.9.12 | 3.9.12 | Sep 24, 2019 | In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. | ||
| CVE-2019-7743 | — | >= 2.5.0, < 3.9.3 | 3.9.3 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. | ||
| CVE-2018-11326 | — | >= 3.0.0, < 3.8.8 | 3.8.8 | May 22, 2018 | An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack. | ||
| CVE-2013-5583 | — | < 3.1.6 | 3.1.6 | Dec 29, 2013 | Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | ||
| CVE-2011-4332 | — | < 1.6.4 | 1.6.4 | Nov 23, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2011-2509 | — | < 1.6.4 | 1.6.4 | Jul 27, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_c | ||
| CVE-2010-1649 | — | >= 1.5, < 1.5.18 | 1.5.18 | Jun 8, 2010 | Multiple cross-site scripting (XSS) vulnerabilities in the back end in Joomla! 1.5 through 1.5.17 allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "various administrator screens," possibly the search parameter in administrator/index.php |
- CVE-2025-25227Apr 8, 2025affected >= 5.0.0, < 5.2.6fixed 5.2.6
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- CVE-2019-16725Sep 24, 2019affected >= 3.0.0, < 3.9.12fixed 3.9.12
In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
- CVE-2019-7743Feb 12, 2019affected >= 2.5.0, < 3.9.3fixed 3.9.3
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.
- CVE-2018-11326May 22, 2018affected >= 3.0.0, < 3.8.8fixed 3.8.8
An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
- CVE-2013-5583Dec 29, 2013affected < 3.1.6fixed 3.1.6
Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
- CVE-2011-4332Nov 23, 2011affected < 1.6.4fixed 1.6.4
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2011-2509Jul 27, 2011affected < 1.6.4fixed 1.6.4
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_c
- CVE-2010-1649Jun 8, 2010affected >= 1.5, < 1.5.18fixed 1.5.18
Multiple cross-site scripting (XSS) vulnerabilities in the back end in Joomla! 1.5 through 1.5.17 allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "various administrator screens," possibly the search parameter in administrator/index.php