Joomla!
by Joomla
Source repositories
CVEs (393)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-19846 | 0.00 | — | 0.02 | Dec 18, 2019 | In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors. | |||
| CVE-2019-19845 | 0.00 | — | 0.01 | Dec 18, 2019 | In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure. | |||
| CVE-2019-18650 | 0.00 | — | 0.00 | Nov 6, 2019 | An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability. | |||
| CVE-2019-18674 | 0.00 | — | 0.01 | Nov 6, 2019 | An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure. | |||
| CVE-2019-15028 | 0.00 | — | 0.01 | Aug 14, 2019 | In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms. | |||
| CVE-2019-14654 | 0.00 | — | 0.02 | Aug 5, 2019 | In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9. | |||
| CVE-2019-12766 | 0.00 | — | 0.01 | Jun 11, 2019 | An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. | |||
| CVE-2019-12764 | 0.00 | — | 0.01 | Jun 11, 2019 | An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users. | |||
| CVE-2019-11809 | 0.00 | — | 0.01 | May 20, 2019 | An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. | |||
| CVE-2019-10946 | 0.00 | — | 0.01 | Apr 10, 2019 | An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users. | |||
| CVE-2019-9712 | 0.00 | — | 0.01 | Mar 12, 2019 | An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS. | |||
| CVE-2019-9713 | 0.00 | — | 0.02 | Mar 12, 2019 | An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access. | |||
| CVE-2019-9711 | 0.00 | — | 0.01 | Mar 12, 2019 | An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS. | |||
| CVE-2019-9714 | 0.00 | — | 0.01 | Mar 12, 2019 | An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS. | |||
| CVE-2019-7744 | 0.00 | — | 0.01 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability. | |||
| CVE-2019-7742 | 0.00 | — | 0.01 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file types and browser-side MIME-type sniffing, causes an XSS attack vector. | |||
| CVE-2019-7741 | 0.00 | — | 0.01 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS. | |||
| CVE-2019-7740 | 0.00 | — | 0.01 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector. | |||
| CVE-2019-7743 | 0.00 | — | 0.03 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. | |||
| CVE-2019-7739 | 0.00 | — | 0.01 | Feb 12, 2019 | An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain… |
- CVE-2019-19846Dec 18, 2019risk 0.00cvss —epss 0.02
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
- CVE-2019-19845Dec 18, 2019risk 0.00cvss —epss 0.01
In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.
- CVE-2019-18650Nov 6, 2019risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
- CVE-2019-18674Nov 6, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure.
- CVE-2019-15028Aug 14, 2019risk 0.00cvss —epss 0.01
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
- CVE-2019-14654Aug 5, 2019risk 0.00cvss —epss 0.02
In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.
- CVE-2019-12766Jun 11, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors.
- CVE-2019-12764Jun 11, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
- CVE-2019-11809May 20, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
- CVE-2019-10946Apr 10, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
- CVE-2019-9712Mar 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS.
- CVE-2019-9713Mar 12, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
- CVE-2019-9711Mar 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS.
- CVE-2019-9714Mar 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS.
- CVE-2019-7744Feb 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability.
- CVE-2019-7742Feb 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file types and browser-side MIME-type sniffing, causes an XSS attack vector.
- CVE-2019-7741Feb 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS.
- CVE-2019-7740Feb 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector.
- CVE-2019-7743Feb 12, 2019risk 0.00cvss —epss 0.03
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.
- CVE-2019-7739Feb 12, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain…
Page 13 of 20