Joomla! CMS
Source repositories
CVEs (69)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-23752 | 0.23 | — | 0.95 | KEV | Feb 16, 2023 | An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. | |
| CVE-2021-23132 | 0.05 | — | 0.59 | Mar 4, 2021 | An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads | ||
| CVE-2021-26030 | 0.01 | — | 0.09 | Apr 14, 2021 | An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page | ||
| CVE-2025-25227 | 0.00 | — | 0.00 | Apr 8, 2025 | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | ||
| CVE-2024-40749 | 0.00 | — | 0.00 | Jan 7, 2025 | Improper Access Controls allows access to protected views. | ||
| CVE-2024-40747 | 0.00 | — | 0.00 | Jan 7, 2025 | Various module chromes didn't properly process inputs, leading to XSS vectors. | ||
| CVE-2024-40748 | 0.00 | — | 0.00 | Jan 7, 2025 | Lack of output escaping in the id attribute of menu lists. | ||
| CVE-2024-27185 | 0.00 | — | 0.00 | Aug 20, 2024 | The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. | ||
| CVE-2024-27186 | 0.00 | — | 0.00 | Aug 20, 2024 | The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions. | ||
| CVE-2024-27184 | 0.00 | — | 0.00 | Aug 20, 2024 | Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.. | ||
| CVE-2024-40743 | 0.00 | — | 0.00 | Aug 20, 2024 | The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors. | ||
| CVE-2024-27187 | 0.00 | — | 0.00 | Aug 20, 2024 | Improper Access Controls allows backend users to overwrite their username when disallowed. | ||
| CVE-2024-21729 | 0.00 | — | 0.00 | Jul 9, 2024 | Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field. | ||
| CVE-2024-21730 | 0.00 | — | 0.00 | Jul 9, 2024 | The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector. | ||
| CVE-2024-26279 | 0.00 | — | 0.00 | Jul 9, 2024 | The wrapper extensions do not correctly validate inputs, leading to XSS vectors. | ||
| CVE-2024-26278 | 0.00 | — | 0.00 | Jul 9, 2024 | The Custom Fields component not correctly filter inputs, leading to a XSS vector. | ||
| CVE-2024-21731 | 0.00 | — | 0.00 | Jul 9, 2024 | Improper handling of input could lead to an XSS vector in the StringHelper::truncate method. | ||
| CVE-2024-21723 | 0.00 | — | 0.00 | Feb 20, 2024 | Inadequate parsing of URLs could result into an open redirect. | ||
| CVE-2024-21725 | 0.00 | — | 0.01 | Feb 20, 2024 | Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. | ||
| CVE-2024-21724 | 0.00 | — | 0.00 | Feb 20, 2024 | Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions. |
- risk 0.23cvss —epss 0.95
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
- CVE-2021-23132Mar 4, 2021risk 0.05cvss —epss 0.59
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
- CVE-2021-26030Apr 14, 2021risk 0.01cvss —epss 0.09
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
- CVE-2025-25227Apr 8, 2025risk 0.00cvss —epss 0.00
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- CVE-2024-40749Jan 7, 2025risk 0.00cvss —epss 0.00
Improper Access Controls allows access to protected views.
- CVE-2024-40747Jan 7, 2025risk 0.00cvss —epss 0.00
Various module chromes didn't properly process inputs, leading to XSS vectors.
- CVE-2024-40748Jan 7, 2025risk 0.00cvss —epss 0.00
Lack of output escaping in the id attribute of menu lists.
- CVE-2024-27185Aug 20, 2024risk 0.00cvss —epss 0.00
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
- CVE-2024-27186Aug 20, 2024risk 0.00cvss —epss 0.00
The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.
- CVE-2024-27184Aug 20, 2024risk 0.00cvss —epss 0.00
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
- CVE-2024-40743Aug 20, 2024risk 0.00cvss —epss 0.00
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.
- CVE-2024-27187Aug 20, 2024risk 0.00cvss —epss 0.00
Improper Access Controls allows backend users to overwrite their username when disallowed.
- CVE-2024-21729Jul 9, 2024risk 0.00cvss —epss 0.00
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
- CVE-2024-21730Jul 9, 2024risk 0.00cvss —epss 0.00
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
- CVE-2024-26279Jul 9, 2024risk 0.00cvss —epss 0.00
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
- CVE-2024-26278Jul 9, 2024risk 0.00cvss —epss 0.00
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
- CVE-2024-21731Jul 9, 2024risk 0.00cvss —epss 0.00
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
- CVE-2024-21723Feb 20, 2024risk 0.00cvss —epss 0.00
Inadequate parsing of URLs could result into an open redirect.
- CVE-2024-21725Feb 20, 2024risk 0.00cvss —epss 0.01
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
- CVE-2024-21724Feb 20, 2024risk 0.00cvss —epss 0.00
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
Page 1 of 4