Vendor CVEs
Joomla
All CVEs
1,051 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-15696 | 0.00 | — | 0.03 | Jul 15, 2020 | An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image. | |||
| CVE-2020-15695 | 0.00 | — | 0.01 | Jul 15, 2020 | An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability. | |||
| CVE-2020-13760 | 0.00 | — | 0.01 | Jun 2, 2020 | In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF. | |||
| CVE-2020-13761 | 0.00 | — | 0.01 | Jun 2, 2020 | In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS. | |||
| CVE-2020-13762 | 0.00 | — | 0.01 | Jun 2, 2020 | In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS. | |||
| CVE-2020-13763 | 0.00 | — | 0.01 | Jun 2, 2020 | In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users. | |||
| CVE-2020-11891 | 0.00 | — | 0.01 | Apr 21, 2020 | An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups. | |||
| CVE-2020-11889 | 0.00 | — | 0.01 | Apr 21, 2020 | An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups. | |||
| CVE-2020-11890 | 0.00 | — | 0.03 | Apr 21, 2020 | An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration. | |||
| CVE-2020-10243 | 0.00 | — | 0.02 | Mar 16, 2020 | An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Featured Articles frontend menutype. | |||
| CVE-2020-10242 | 0.00 | — | 0.01 | Mar 16, 2020 | An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks. | |||
| CVE-2020-10241 | 0.00 | — | 0.01 | Mar 16, 2020 | An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF. | |||
| CVE-2020-10240 | 0.00 | — | 0.01 | Mar 16, 2020 | An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses. | |||
| CVE-2015-7339 | 0.00 | — | 0.01 | Mar 9, 2020 | JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a .php file extension for an image file to the /com_jce/editor/libraries/classes/browser.php script. | |||
| CVE-2015-2062 | 0.00 | — | 0.02 | Feb 8, 2020 | Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to… | |||
| CVE-2011-1151 | 0.00 | — | 0.02 | Feb 5, 2020 | Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters. | |||
| CVE-2011-4912 | 0.00 | — | 0.01 | Feb 4, 2020 | Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass. | |||
| CVE-2011-3629 | 0.00 | — | 0.01 | Feb 4, 2020 | Joomla! core 1.7.1 allows information disclosure due to weak encryption | |||
| CVE-2011-4937 | 0.00 | — | 0.02 | Feb 4, 2020 | Joomla! 1.7.1 has core information disclosure due to inadequate error checking. | |||
| CVE-2020-8419 | 0.00 | — | 0.00 | Jan 28, 2020 | An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities. | |||
| CVE-2020-8421 | 0.00 | — | 0.01 | Jan 28, 2020 | An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs. | |||
| CVE-2020-8420 | 0.00 | — | 0.01 | Jan 28, 2020 | An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability. | |||
| CVE-2011-3595 | 0.00 | — | 0.01 | Jan 22, 2020 | Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters. | |||
| CVE-2011-4907 | 0.00 | — | 0.01 | Jan 15, 2020 | Joomla! 1.5x through 1.5.12: Missing JEXEC Check | |||
| CVE-2012-1562 | 0.00 | — | 0.01 | Jan 15, 2020 | Joomla! core before 2.5.3 allows unauthorized password change. | |||
| CVE-2019-20212 | 0.00 | — | 0.03 | Jan 13, 2020 | The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form. | |||
| CVE-2019-20211 | 0.00 | — | 0.03 | Jan 13, 2020 | The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address,… | |||
| CVE-2019-20210 | 0.00 | — | 0.03 | Jan 13, 2020 | The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query. | |||
| CVE-2019-20209 | 0.00 | — | 0.03 | Jan 13, 2020 | The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. | |||
| CVE-2013-3932 | 0.00 | — | 0.02 | Jan 2, 2020 | SQL injection vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to execute arbitrary SQL commands via the id parameter in an editProfile action to administrator/index.php. | |||
| CVE-2013-3931 | 0.00 | — | 0.01 | Jan 2, 2020 | Cross-site scripting (XSS) vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to inject arbitrary web script or HTML via the property_name parameter, related to editing property… | |||
| CVE-2019-17527 | 0.00 | — | 0.01 | Dec 19, 2019 | dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter. | |||
| CVE-2019-19846 | 0.00 | — | 0.02 | Dec 18, 2019 | In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors. | |||
| CVE-2019-19845 | 0.00 | — | 0.01 | Dec 18, 2019 | In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure. | |||
| CVE-2019-18650 | 0.00 | — | 0.00 | Nov 6, 2019 | An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability. | |||
| CVE-2019-18674 | 0.00 | — | 0.01 | Nov 6, 2019 | An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure. | |||
| CVE-2015-9487 | 0.00 | — | 0.03 | Oct 11, 2019 | The ThemeMakers Almera Responsive Portfolio theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI. | |||
| CVE-2019-15028 | 0.00 | — | 0.01 | Aug 14, 2019 | In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms. | |||
| CVE-2019-14654 | 0.00 | — | 0.02 | Aug 5, 2019 | In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9. | |||
| CVE-2019-12869 | 0.00 | — | 0.04 | Jun 24, 2019 | An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Out-Of-Bounds Read, Information Disclosure, and remote code execution. The attacker needs to… | |||
| CVE-2019-12870 | 0.00 | — | 0.04 | Jun 24, 2019 | An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Uninitialized Pointer and remote code execution. The attacker needs to get access to an… | |||
| CVE-2019-12871 | 0.00 | — | 0.04 | Jun 24, 2019 | An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to a Use-After-Free and remote code execution. The attacker needs to get access to an original PC… | |||
| CVE-2018-17374 | 0.00 | — | 0.02 | Jun 19, 2019 | SQL Injection exists in the Auction Factory 4.5.5 component for Joomla! via the filter_order_Dir or filter_order parameter. | |||
| CVE-2018-17381 | 0.00 | — | 0.02 | Jun 19, 2019 | SQL Injection exists in the Dutch Auction Factory 2.0.2 component for Joomla! via the filter_order_Dir or filter_order parameter. | |||
| CVE-2018-17386 | 0.00 | — | 0.02 | Jun 19, 2019 | SQL Injection exists in the Micro Deal Factory 2.4.0 component for Joomla! via the id parameter, or the PATH_INFO to mydeals/ or listdeals/. | |||
| CVE-2018-17399 | 0.00 | — | 0.02 | Jun 19, 2019 | SQL Injection exists in the Jimtawl 2.2.7 component for Joomla! via the id parameter. | |||
| CVE-2019-12766 | 0.00 | — | 0.01 | Jun 11, 2019 | An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. | |||
| CVE-2019-12764 | 0.00 | — | 0.01 | Jun 11, 2019 | An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users. | |||
| CVE-2019-11809 | 0.00 | — | 0.01 | May 20, 2019 | An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. | |||
| CVE-2019-10946 | 0.00 | — | 0.01 | Apr 10, 2019 | An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users. |
- CVE-2020-15696Jul 15, 2020risk 0.00cvss —epss 0.03
An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image.
- CVE-2020-15695Jul 15, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
- CVE-2020-13760Jun 2, 2020risk 0.00cvss —epss 0.01
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
- CVE-2020-13761Jun 2, 2020risk 0.00cvss —epss 0.01
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.
- CVE-2020-13762Jun 2, 2020risk 0.00cvss —epss 0.01
In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS.
- CVE-2020-13763Jun 2, 2020risk 0.00cvss —epss 0.01
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.
- CVE-2020-11891Apr 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
- CVE-2020-11889Apr 21, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
- CVE-2020-11890Apr 21, 2020risk 0.00cvss —epss 0.03
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration.
- CVE-2020-10243Mar 16, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Featured Articles frontend menutype.
- CVE-2020-10242Mar 16, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks.
- CVE-2020-10241Mar 16, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.
- CVE-2020-10240Mar 16, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.
- CVE-2015-7339Mar 9, 2020risk 0.00cvss —epss 0.01
JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a .php file extension for an image file to the /com_jce/editor/libraries/classes/browser.php script.
- CVE-2015-2062Feb 8, 2020risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to…
- CVE-2011-1151Feb 5, 2020risk 0.00cvss —epss 0.02
Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters.
- CVE-2011-4912Feb 4, 2020risk 0.00cvss —epss 0.01
Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.
- CVE-2011-3629Feb 4, 2020risk 0.00cvss —epss 0.01
Joomla! core 1.7.1 allows information disclosure due to weak encryption
- CVE-2011-4937Feb 4, 2020risk 0.00cvss —epss 0.02
Joomla! 1.7.1 has core information disclosure due to inadequate error checking.
- CVE-2020-8419Jan 28, 2020risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities.
- CVE-2020-8421Jan 28, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs.
- CVE-2020-8420Jan 28, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
- CVE-2011-3595Jan 22, 2020risk 0.00cvss —epss 0.01
Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.
- CVE-2011-4907Jan 15, 2020risk 0.00cvss —epss 0.01
Joomla! 1.5x through 1.5.12: Missing JEXEC Check
- CVE-2012-1562Jan 15, 2020risk 0.00cvss —epss 0.01
Joomla! core before 2.5.3 allows unauthorized password change.
- CVE-2019-20212Jan 13, 2020risk 0.00cvss —epss 0.03
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form.
- CVE-2019-20211Jan 13, 2020risk 0.00cvss —epss 0.03
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address,…
- CVE-2019-20210Jan 13, 2020risk 0.00cvss —epss 0.03
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query.
- CVE-2019-20209Jan 13, 2020risk 0.00cvss —epss 0.03
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.
- CVE-2013-3932Jan 2, 2020risk 0.00cvss —epss 0.02
SQL injection vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to execute arbitrary SQL commands via the id parameter in an editProfile action to administrator/index.php.
- CVE-2013-3931Jan 2, 2020risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to inject arbitrary web script or HTML via the property_name parameter, related to editing property…
- CVE-2019-17527Dec 19, 2019risk 0.00cvss —epss 0.01
dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter.
- CVE-2019-19846Dec 18, 2019risk 0.00cvss —epss 0.02
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
- CVE-2019-19845Dec 18, 2019risk 0.00cvss —epss 0.01
In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.
- CVE-2019-18650Nov 6, 2019risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
- CVE-2019-18674Nov 6, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure.
- CVE-2015-9487Oct 11, 2019risk 0.00cvss —epss 0.03
The ThemeMakers Almera Responsive Portfolio theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.
- CVE-2019-15028Aug 14, 2019risk 0.00cvss —epss 0.01
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
- CVE-2019-14654Aug 5, 2019risk 0.00cvss —epss 0.02
In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.
- CVE-2019-12869Jun 24, 2019risk 0.00cvss —epss 0.04
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Out-Of-Bounds Read, Information Disclosure, and remote code execution. The attacker needs to…
- CVE-2019-12870Jun 24, 2019risk 0.00cvss —epss 0.04
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to an Uninitialized Pointer and remote code execution. The attacker needs to get access to an…
- CVE-2019-12871Jun 24, 2019risk 0.00cvss —epss 0.04
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to a Use-After-Free and remote code execution. The attacker needs to get access to an original PC…
- CVE-2018-17374Jun 19, 2019risk 0.00cvss —epss 0.02
SQL Injection exists in the Auction Factory 4.5.5 component for Joomla! via the filter_order_Dir or filter_order parameter.
- CVE-2018-17381Jun 19, 2019risk 0.00cvss —epss 0.02
SQL Injection exists in the Dutch Auction Factory 2.0.2 component for Joomla! via the filter_order_Dir or filter_order parameter.
- CVE-2018-17386Jun 19, 2019risk 0.00cvss —epss 0.02
SQL Injection exists in the Micro Deal Factory 2.4.0 component for Joomla! via the id parameter, or the PATH_INFO to mydeals/ or listdeals/.
- CVE-2018-17399Jun 19, 2019risk 0.00cvss —epss 0.02
SQL Injection exists in the Jimtawl 2.2.7 component for Joomla! via the id parameter.
- CVE-2019-12766Jun 11, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors.
- CVE-2019-12764Jun 11, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
- CVE-2019-11809May 20, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
- CVE-2019-10946Apr 10, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
Page 17 of 22