Joomla! CMS

Source repositories

https://github.com/joomla/joomla-cms

CVEs (69)

CVE	CVSS	EPSS	Published	Description
CVE-2024-21722	—	0.00	Feb 20, 2024	The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
CVE-2024-21726	—	0.00	Feb 20, 2024	Inadequate content filtering leads to XSS vulnerabilities in various components.
CVE-2023-40626	—	0.00	Nov 29, 2023	The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
CVE-2023-23754	—	0.00	May 30, 2023	An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
CVE-2023-23755	—	0.00	May 30, 2023	An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
CVE-2023-23751	—	0.00	Feb 1, 2023	An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
CVE-2023-23750	—	0.00	Feb 1, 2023	An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
CVE-2022-27914	—	0.00	Nov 8, 2022	An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.
CVE-2022-27913	—	0.00	Oct 25, 2022	An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
CVE-2022-27912	—	0.00	Oct 25, 2022	An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
CVE-2022-27911	—	0.00	Aug 31, 2022	An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.
CVE-2022-23801	—	0.01	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
CVE-2022-23800	—	0.01	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.
CVE-2022-23799	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
CVE-2022-23798	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.
CVE-2022-23797	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.
CVE-2022-23796	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.
CVE-2022-23795	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
CVE-2022-23794	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.
CVE-2022-23793	—	0.00	Mar 30, 2022	An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.

CVE-2024-21722Feb 20, 2024
risk 0.00cvss —epss 0.00
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
CVE-2024-21726Feb 20, 2024
risk 0.00cvss —epss 0.00
Inadequate content filtering leads to XSS vulnerabilities in various components.
CVE-2023-40626Nov 29, 2023
risk 0.00cvss —epss 0.00
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
CVE-2023-23754May 30, 2023
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
CVE-2023-23755May 30, 2023
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
CVE-2023-23751Feb 1, 2023
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
CVE-2023-23750Feb 1, 2023
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
CVE-2022-27914Nov 8, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.
CVE-2022-27913Oct 25, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
CVE-2022-27912Oct 25, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
CVE-2022-27911Aug 31, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.
CVE-2022-23801Mar 30, 2022
risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
CVE-2022-23800Mar 30, 2022
risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.
CVE-2022-23799Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
CVE-2022-23798Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.
CVE-2022-23797Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.
CVE-2022-23796Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.
CVE-2022-23795Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
CVE-2022-23794Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.
CVE-2022-23793Mar 30, 2022
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.

Page 2 of 4