Joomla!
by Joomla
Source repositories
CVEs (393)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-5363 | 0.06 | — | 0.31 | Oct 11, 2007 | PHP remote file inclusion vulnerability in admin.panoramic.php in the Panoramic Picture Viewer (com_panoramic) mambot (plugin) 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. NOTE: the provenance of this… | |||
| CVE-2007-5362 | 0.06 | — | 0.37 | Oct 11, 2007 | Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite (com_mosmedia) 4.5.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) credits.html.php, (2)… | |||
| CVE-2007-5065 | 0.06 | — | 0.42 | Sep 24, 2007 | PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. | |||
| CVE-2021-23132 | 0.05 | — | 0.07 | Mar 4, 2021 | An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads | |||
| CVE-2019-12765 | 0.05 | — | 0.10 | Jun 11, 2019 | An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. | |||
| CVE-2012-1563 | 0.04 | — | 0.09 | Jan 15, 2020 | Joomla! before 2.5.3 allows Admin Account Creation. | |||
| CVE-2014-7981 | 0.04 | — | 0.09 | Oct 8, 2014 | SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-3681 | 0.04 | — | 0.09 | Aug 14, 2008 | components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator. | |||
| CVE-2008-0690 | 0.04 | — | 0.09 | Feb 12, 2008 | SQL injection vulnerability in index.php in the mosDirectory (com_directory) 2.3.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a viewcat action. | |||
| CVE-2019-6263 | 0.03 | — | 0.04 | Jan 16, 2019 | An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS. | |||
| CVE-2013-3242 | 0.03 | — | 0.05 | May 3, 2013 | plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via… | |||
| CVE-2013-1453 | 0.03 | — | 0.03 | Feb 13, 2013 | plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via… | |||
| CVE-2011-4909 | 0.03 | — | 0.02 | Oct 7, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script or HTML via the HTTP_REFERER header to (1) components/com_content/views/article/tmpl/form.php, (2) components/com_user/controller.php, (3)… | |||
| CVE-2012-1116 | 0.03 | — | 0.01 | Sep 26, 2012 | SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-2679 | 0.03 | — | 0.01 | Jul 8, 2010 | SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php. | |||
| CVE-2008-6852 | 0.03 | — | 0.01 | Jul 7, 2009 | SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 beta 2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. | |||
| CVE-2009-1938 | 0.03 | — | 0.04 | Jun 5, 2009 | Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel. | |||
| CVE-2009-1499 | 0.03 | — | 0.02 | May 1, 2009 | SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in index.php. NOTE: SecurityFocus states that this issue has been disputed by the vendor. | |||
| CVE-2008-6068 | 0.03 | — | 0.01 | Feb 10, 2009 | SQL injection vulnerability in the JoomlaDate (com_joomladate) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a viewProfile action to index.php. | |||
| CVE-2008-2990 | 0.03 | — | 0.02 | Jul 2, 2008 | PHP remote file inclusion vulnerability in facileforms.frame.php in the FacileForms (com_facileforms) component 1.4.4 for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the ff_compath parameter. |
- CVE-2007-5363Oct 11, 2007risk 0.06cvss —epss 0.31
PHP remote file inclusion vulnerability in admin.panoramic.php in the Panoramic Picture Viewer (com_panoramic) mambot (plugin) 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. NOTE: the provenance of this…
- CVE-2007-5362Oct 11, 2007risk 0.06cvss —epss 0.37
Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite (com_mosmedia) 4.5.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) credits.html.php, (2)…
- CVE-2007-5065Sep 24, 2007risk 0.06cvss —epss 0.42
PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
- CVE-2021-23132Mar 4, 2021risk 0.05cvss —epss 0.07
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
- CVE-2019-12765Jun 11, 2019risk 0.05cvss —epss 0.10
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
- CVE-2012-1563Jan 15, 2020risk 0.04cvss —epss 0.09
Joomla! before 2.5.3 allows Admin Account Creation.
- CVE-2014-7981Oct 8, 2014risk 0.04cvss —epss 0.09
SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3681Aug 14, 2008risk 0.04cvss —epss 0.09
components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator.
- CVE-2008-0690Feb 12, 2008risk 0.04cvss —epss 0.09
SQL injection vulnerability in index.php in the mosDirectory (com_directory) 2.3.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a viewcat action.
- CVE-2019-6263Jan 16, 2019risk 0.03cvss —epss 0.04
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.
- CVE-2013-3242May 3, 2013risk 0.03cvss —epss 0.05
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via…
- CVE-2013-1453Feb 13, 2013risk 0.03cvss —epss 0.03
plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via…
- CVE-2011-4909Oct 7, 2012risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script or HTML via the HTTP_REFERER header to (1) components/com_content/views/article/tmpl/form.php, (2) components/com_user/controller.php, (3)…
- CVE-2012-1116Sep 26, 2012risk 0.03cvss —epss 0.01
SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-2679Jul 8, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.
- CVE-2008-6852Jul 7, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 beta 2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
- CVE-2009-1938Jun 5, 2009risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel.
- CVE-2009-1499May 1, 2009risk 0.03cvss —epss 0.02
SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in index.php. NOTE: SecurityFocus states that this issue has been disputed by the vendor.
- CVE-2008-6068Feb 10, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in the JoomlaDate (com_joomladate) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a viewProfile action to index.php.
- CVE-2008-2990Jul 2, 2008risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in facileforms.frame.php in the FacileForms (com_facileforms) component 1.4.4 for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the ff_compath parameter.
Page 6 of 20