All the vulnerabilites related to Joomla! Project - Joomla! CMS
cve-2021-26029
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 04:20
Severity ?
EPSS score ?
Summary
[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.6.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL Violation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:57.347Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html"
}
],
"title": "[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-26029",
"STATE": "PUBLIC",
"TITLE": "[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "1.6.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ACL Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26029",
"datePublished": "2021-03-04T17:37:15.215145Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T04:20:09.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26033
Vulnerability from cvelistv5
Published
2021-05-26 10:22
Modified
2024-09-16 19:41
Severity ?
EPSS score ?
Summary
[20210502] - Core - CSRF in AJAX reordering endpoint
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.26"
}
]
}
],
"datePublic": "2021-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:52.236Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html"
}
],
"title": "[20210502] - Core - CSRF in AJAX reordering endpoint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-05-25T16:00:00",
"ID": "CVE-2021-26033",
"STATE": "PUBLIC",
"TITLE": "[20210502] - Core - CSRF in AJAX reordering endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.26"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26033",
"datePublished": "2021-05-26T10:22:34.147244Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T19:41:37.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21722
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-11-03 04:33
Severity ?
EPSS score ?
Summary
[20240201] - Core - Insufficient session expiration in MFA management views
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T16:22:54.460242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T17:26:08.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Carsten Schmitz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The MFA management features did not properly terminate existing user sessions when a user\u0027s MFA methods have been modified."
}
],
"value": "The MFA management features did not properly terminate existing user sessions when a user\u0027s MFA methods have been modified."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-03T04:33:10.830Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240201] - Core - Insufficient session expiration in MFA management views",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21722",
"datePublished": "2024-02-20T16:22:50.937Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-11-03T04:33:10.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27185
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2025-03-29 04:35
Severity ?
EPSS score ?
Summary
[20240802] - Core - Cache Poisoning in Pagination
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joomial_project:joomial_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joomial_cms",
"vendor": "joomial_project",
"versions": [
{
"lessThanOrEqual": "3.10.16",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T13:48:48.505953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T13:51:12.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.16"
},
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shane Edwards"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors."
}
],
"value": "The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-141",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-141 Cache Poisoning"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-29T04:35:10.331Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/942-20240802-core-cache-poisoning-in-pagination.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240802] - Core - Cache Poisoning in Pagination",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27185",
"datePublished": "2024-08-20T16:03:58.015Z",
"dateReserved": "2024-02-21T04:29:37.776Z",
"dateUpdated": "2025-03-29T04:35:10.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26030
Vulnerability from cvelistv5
Published
2021-04-14 17:34
Modified
2024-09-16 20:12
Severity ?
EPSS score ?
Summary
[20210401] - Core - Escape xss in logo parameter error pages
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.25"
}
]
}
],
"datePublic": "2021-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:15.935Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html"
}
],
"title": "[20210401] - Core - Escape xss in logo parameter error pages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-04-13T16:00:00",
"ID": "CVE-2021-26030",
"STATE": "PUBLIC",
"TITLE": "[20210401] - Core - Escape xss in logo parameter error pages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.25"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26030",
"datePublished": "2021-04-14T17:34:57.954589Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T20:12:29.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40749
Vulnerability from cvelistv5
Published
2025-01-07 16:22
Modified
2025-01-08 14:46
Severity ?
EPSS score ?
Summary
[20250103] - Core - Read ACL violation in multiple core views
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:45:57.239214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:46:53.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.9.0-3.10.19"
},
{
"status": "affected",
"version": "4.0.0-4.4.9"
},
{
"status": "affected",
"version": "5.0.0-5.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominik Ziegelm\u00fcller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Controls allows access to protected views."
}
],
"value": "Improper Access Controls allows access to protected views."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:22:12.593Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/956-20250103-core-read-acl-violation-in-multiple-core-views.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20250103] - Core - Read ACL violation in multiple core views",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40749",
"datePublished": "2025-01-07T16:22:12.593Z",
"dateReserved": "2024-07-09T18:05:54.409Z",
"dateUpdated": "2025-01-08T14:46:53.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-22207
Vulnerability from cvelistv5
Published
2025-02-18 16:03
Modified
2025-02-18 16:25
Severity ?
EPSS score ?
Summary
[20250201] - Core - SQL injection vulnerability in Scheduled Tasks component
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T16:25:10.516830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T16:25:24.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.1.0-4.4.10"
},
{
"status": "affected",
"version": "5.0.0-5.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Calum Hutton, snyk.io"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler."
}
],
"value": "Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T16:03:29.639Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/958-20250201-core-sql-injection-vulnerability-in-scheduled-tasks-component.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20250201] - Core - SQL injection vulnerability in Scheduled Tasks component",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-22207",
"datePublished": "2025-02-18T16:03:29.639Z",
"dateReserved": "2025-01-01T04:33:02.765Z",
"dateUpdated": "2025-02-18T16:25:24.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26032
Vulnerability from cvelistv5
Published
2021-05-26 10:22
Modified
2024-09-17 04:24
Severity ?
EPSS score ?
Summary
[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.26"
}
]
}
],
"datePublic": "2021-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:23.462Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html"
}
],
"title": "[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-05-25T16:00:00",
"ID": "CVE-2021-26032",
"STATE": "PUBLIC",
"TITLE": "[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.26"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26032",
"datePublished": "2021-05-26T10:22:33.982379Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T04:24:33.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23131
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 00:51
Severity ?
EPSS score ?
Summary
[20210305] - Core - Input validation within the template manager
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:29.330Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html"
}
],
"title": "[20210305] - Core - Input validation within the template manager",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23131",
"STATE": "PUBLIC",
"TITLE": "[20210305] - Core - Input validation within the template manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23131",
"datePublished": "2021-03-04T17:37:14.799964Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T00:51:57.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23751
Vulnerability from cvelistv5
Published
2023-02-01 21:12
Modified
2025-03-29 04:35
Severity ?
EPSS score ?
Summary
[20230102] - Core - Missing ACL checks for com_actionlogs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:26.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/891-20230102-core-missing-acl-checks-for-com-actionlogs.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:45:53.044298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:26:59.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Faizan Wani"
}
],
"datePublic": "2023-01-31T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing ACL check allows non super-admin users to access com_actionlogs.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-29T04:35:12.508Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/891-20230102-core-missing-acl-checks-for-com-actionlogs.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230102] - Core - Missing ACL checks for com_actionlogs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23751",
"datePublished": "2023-02-01T21:12:42.378Z",
"dateReserved": "2023-01-17T19:02:50.302Z",
"dateUpdated": "2025-03-29T04:35:12.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23123
Vulnerability from cvelistv5
Published
2021-01-12 20:19
Modified
2024-09-16 17:19
Severity ?
EPSS score ?
Summary
[20210101] - Core - com_modules exposes module names
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.23"
}
]
}
],
"datePublic": "2021-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:24.442Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
],
"title": "[20210101] - Core - com_modules exposes module names",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-01-12T16:00:00",
"ID": "CVE-2021-23123",
"STATE": "PUBLIC",
"TITLE": "[20210101] - Core - com_modules exposes module names"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.23"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23123",
"datePublished": "2021-01-12T20:19:49.325740Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T17:19:11.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26037
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-17 04:09
Severity ?
EPSS score ?
Summary
[20210703] - Core - Lack of enforced session termination
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user\u0027s password was changed or the user was blocked."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:38.766Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html"
}
],
"title": "[20210703] - Core - Lack of enforced session termination",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26037",
"STATE": "PUBLIC",
"TITLE": "[20210703] - Core - Lack of enforced session termination"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user\u0027s password was changed or the user was blocked."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26037",
"datePublished": "2021-07-07T10:12:47.003101Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T04:09:16.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21725
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-10-28 04:34
Severity ?
EPSS score ?
Summary
[20240204] - Core - XSS in mail address outputs
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T17:44:47.368140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-27T02:09:02.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gareth Heyes (PortSwigger Research)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components."
}
],
"value": "Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T04:34:16.221Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240204] - Core - XSS in mail address outputs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21725",
"datePublished": "2024-02-20T16:22:57.554Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-10-28T04:34:16.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21731
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2025-03-14 04:35
Severity ?
EPSS score ?
Summary
[20240703] - Core - XSS in StringHelper::truncate method
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:29:52.605292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T15:05:29.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/937-20240703-core-xss-in-stringhelper-truncate-method.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.15"
},
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper handling of input could lead to an XSS vector in the StringHelper::truncate method."
}
],
"value": "Improper handling of input could lead to an XSS vector in the StringHelper::truncate method."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T04:35:24.835Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/937-20240703-core-xss-in-stringhelper-truncate-method.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240703] - Core - XSS in StringHelper::truncate method",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21731",
"datePublished": "2024-07-09T16:15:43.351Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2025-03-14T04:35:24.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27186
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-11-26 04:35
Severity ?
EPSS score ?
Summary
[20240803] - Core - XSS in HTML Mail Templates
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/944-20240803-core-xss-in-html-mail-templates.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T17:38:52.591486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:35:57.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elysee Franchuk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions."
}
],
"value": "The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:35:13.782Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/944-20240803-core-xss-in-html-mail-templates.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240803] - Core - XSS in HTML Mail Templates",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27186",
"datePublished": "2024-08-20T16:03:56.863Z",
"dateReserved": "2024-02-21T04:29:37.776Z",
"dateUpdated": "2024-11-26T04:35:13.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35613
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 20:38
Severity ?
EPSS score ?
Summary
[20201104] - Core - SQL injection in com_users list view
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:48.769Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html"
}
],
"title": "[20201104] - Core - SQL injection in com_users list view",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35613",
"STATE": "PUBLIC",
"TITLE": "[20201104] - Core - SQL injection in com_users list view"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35613",
"datePublished": "2020-12-28T19:39:18.351403Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T20:38:00.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23132
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 03:53
Severity ?
EPSS score ?
Summary
[20210306] - Core - com_media allowed paths that are not intended for image uploads
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:08.799Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html"
}
],
"title": "[20210306] - Core - com_media allowed paths that are not intended for image uploads",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23132",
"STATE": "PUBLIC",
"TITLE": "[20210306] - Core - com_media allowed paths that are not intended for image uploads"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23132",
"datePublished": "2021-03-04T17:37:14.907908Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T03:53:00.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26038
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-17 03:38
Severity ?
EPSS score ?
Summary
[20210704] - Core - Privilege escalation through com_installer
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:13.249Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html"
}
],
"title": "[20210704] - Core - Privilege escalation through com_installer",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26038",
"STATE": "PUBLIC",
"TITLE": "[20210704] - Core - Privilege escalation through com_installer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26038",
"datePublished": "2021-07-07T10:12:47.940008Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T03:38:06.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23750
Vulnerability from cvelistv5
Published
2023-02-01 21:12
Modified
2025-03-29 04:35
Severity ?
EPSS score ?
Summary
[20230101] - Core - CSRF within post-installation messages
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/890-20230101-core-csrf-within-post-installation-messages.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:47:06.160241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:26:35.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Faizan Wani"
}
],
"datePublic": "2023-01-31T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-29T04:35:17.502Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/890-20230101-core-csrf-within-post-installation-messages.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230101] - Core - CSRF within post-installation messages",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23750",
"datePublished": "2023-02-01T21:12:36.067Z",
"dateReserved": "2023-01-17T19:02:50.302Z",
"dateUpdated": "2025-03-29T04:35:17.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27187
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-08-22 04:32
Severity ?
EPSS score ?
Summary
[20240804] - Core - Improper ACL for backend profile view
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joomla\\!",
"vendor": "joomla",
"versions": [
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T19:24:02.130454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T19:26:50.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elysee Franchuk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Controls allows backend users to overwrite their username when disallowed."
}
],
"value": "Improper Access Controls allows backend users to overwrite their username when disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T04:32:02.125Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/945-20240804-core-improper-acl-for-backend-profile-view.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240804] - Core - Improper ACL for backend profile view",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27187",
"datePublished": "2024-08-20T16:03:43.540Z",
"dateReserved": "2024-02-21T04:29:37.776Z",
"dateUpdated": "2024-08-22T04:32:02.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35616
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 18:55
Severity ?
EPSS score ?
Summary
[20201107] - Core - Write ACL violation in multiple core views
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.7.0 - 3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL Violation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:34:07.578Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html"
}
],
"title": "[20201107] - Core - Write ACL violation in multiple core views",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35616",
"STATE": "PUBLIC",
"TITLE": "[20201107] - Core - Write ACL violation in multiple core views"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "1.7.0 - 3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ACL Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35616",
"datePublished": "2020-12-28T19:39:18.657708Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T18:55:49.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23754
Vulnerability from cvelistv5
Published
2023-05-30 16:12
Modified
2025-01-10 04:33
Severity ?
EPSS score ?
Summary
[20230501] - Core - Open Redirect and XSS within the mfa select
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/899-20230501-core-open-redirects-and-xss-within-the-mfa-selection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:31:11.643723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:32:02.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-4.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Srpopty from huntr.dev"
}
],
"datePublic": "2023-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T04:33:39.676Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/899-20230501-core-open-redirects-and-xss-within-the-mfa-selection.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230501] - Core - Open Redirect and XSS within the mfa select",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23754",
"datePublished": "2023-05-30T16:12:44.475Z",
"dateReserved": "2023-01-17T19:48:53.503Z",
"dateUpdated": "2025-01-10T04:33:39.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27911
Vulnerability from cvelistv5
Published
2022-08-31 10:00
Modified
2024-09-16 22:36
Severity ?
EPSS score ?
Summary
[20220801] - Core - Multiple Full Path Disclosures because of missing '_JEXEC or die check'
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:10.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0"
}
]
}
],
"datePublic": "2022-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027 caused by the PSR12 changes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "FPD",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:10.716Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html"
}
],
"title": "[20220801] - Core - Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-08-30T18:00:00",
"ID": "CVE-2022-27911",
"STATE": "PUBLIC",
"TITLE": "[20220801] - Core - Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.2.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027 caused by the PSR12 changes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "FPD"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27911",
"datePublished": "2022-08-31T10:00:14.200946Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-09-16T22:36:40.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23755
Vulnerability from cvelistv5
Published
2023-05-30 16:12
Modified
2025-01-10 04:33
Severity ?
EPSS score ?
Summary
[20230502] - Core - Bruteforce prevention within the mfa screen
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:32:28.579396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:32:51.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-4.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phil Taylor"
}
],
"datePublic": "2023-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Lack of rate limiting",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T04:33:30.752Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230502] - Core - Bruteforce prevention within the mfa screen",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23755",
"datePublished": "2023-05-30T16:12:32.399Z",
"dateReserved": "2023-01-17T19:48:53.503Z",
"dateUpdated": "2025-01-10T04:33:30.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35610
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-17 01:51
Severity ?
EPSS score ?
Summary
[20201101] - Core - com_finder ignores access levels on autosuggest
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:50.073Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html"
}
],
"title": "[20201101] - Core - com_finder ignores access levels on autosuggest",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35610",
"STATE": "PUBLIC",
"TITLE": "[20201101] - Core - com_finder ignores access levels on autosuggest"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35610",
"datePublished": "2020-12-28T19:39:18.000331Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-17T01:51:48.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27184
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-11-26 04:34
Severity ?
EPSS score ?
Summary
[20240801] - Core - Inadequate validation of internal URLs
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T20:11:27.379332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T21:10:28.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.4.6-3.10.16"
},
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gareth Heyes (PortSwigger Research)"
},
{
"lang": "en",
"type": "finder",
"value": "Teodor Ivanov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not."
}
],
"value": "Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:34:52.366Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/941-20240801-core-inadequate-validation-of-internal-urls.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240801] - Core - Inadequate validation of internal URLs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27184",
"datePublished": "2024-08-20T16:03:51.605Z",
"dateReserved": "2024-02-21T04:29:37.775Z",
"dateUpdated": "2024-11-26T04:34:52.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23752
Vulnerability from cvelistv5
Published
2023-02-16 16:25
Modified
2025-07-31 16:19
Severity ?
EPSS score ?
Summary
[20230201] - Core - Improper access check in webservice endpoints
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joomla\\!",
"vendor": "joomla",
"versions": [
{
"lessThanOrEqual": "4.2.7",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23752",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T20:52:45.656035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-01-08",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-23752"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:30.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2024-01-08T00:00:00+00:00",
"value": "CVE-2023-23752 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zewei Zhang from NSFOCUS TIANJI Lab"
}
],
"datePublic": "2023-02-16T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T16:19:10.638Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230201] - Core - Improper access check in webservice endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23752",
"datePublished": "2023-02-16T16:25:21.003Z",
"dateReserved": "2023-01-17T19:02:50.302Z",
"dateUpdated": "2025-07-31T16:19:10.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35615
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 23:21
Severity ?
EPSS score ?
Summary
[20201106] - Core - CSRF in com_privacy emailexport feature
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:33:12.294Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html"
}
],
"title": "[20201106] - Core - CSRF in com_privacy emailexport feature",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35615",
"STATE": "PUBLIC",
"TITLE": "[20201106] - Core - CSRF in com_privacy emailexport feature"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35615",
"datePublished": "2020-12-28T19:39:18.556142Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T23:21:35.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21730
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2025-03-20 04:34
Severity ?
EPSS score ?
Summary
[20240702] - Core - Self-XSS in fancyselect list field layout
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T19:15:56.740504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T16:11:38.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/936-20240702-core-self-xss-in-fancyselect-list-field-layout.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector."
}
],
"value": "The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T04:34:42.326Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/936-20240702-core-self-xss-in-fancyselect-list-field-layout.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240702] - Core - Self-XSS in fancyselect list field layout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21730",
"datePublished": "2024-07-09T16:15:49.888Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2025-03-20T04:34:42.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23795
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 17:19
Severity ?
EPSS score ?
Summary
[20220303] - Core - User row are not bound to a authentication mechanism
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:00.805Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html"
}
],
"title": "[20220303] - Core - User row are not bound to a authentication mechanism",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23795",
"STATE": "PUBLIC",
"TITLE": "[20220303] - Core - User row are not bound to a authentication mechanism"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23795",
"datePublished": "2022-03-30T15:20:26.042065Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T17:19:08.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23801
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 19:35
Severity ?
EPSS score ?
Summary
[20220309] - Core - XSS attack vector through SVG
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:27.052Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html"
}
],
"title": "[20220309] - Core - XSS attack vector through SVG",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23801",
"STATE": "PUBLIC",
"TITLE": "[20220309] - Core - XSS attack vector through SVG"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23801",
"datePublished": "2022-03-30T15:20:35.023851Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T19:35:51.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27914
Vulnerability from cvelistv5
Published
2022-11-08 18:50
Modified
2024-11-26 04:35
Severity ?
EPSS score ?
Summary
[20221101] - Core - RXSS through reflection of user input in com_media
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/887-20221101-core-rxss-through-reflection-of-user-input-in-com-media.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T21:06:47.503605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T21:09:16.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Denitz"
}
],
"datePublic": "2022-11-07T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected Cross-Site Scripting (XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:35:20.023Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/887-20221101-core-rxss-through-reflection-of-user-input-in-com-media.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20221101] - Core - RXSS through reflection of user input in com_media",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27914",
"datePublished": "2022-11-08T18:50:10.534726Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-11-26T04:35:20.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-40626
Vulnerability from cvelistv5
Published
2023-11-29 12:28
Modified
2024-12-04 16:10
Severity ?
EPSS score ?
Summary
[20231101] - Core - Exposure of environment variables
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/919-20231101-core-exposure-of-environment-variables.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T19:23:38.617845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:24:03.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.6.0-4.4.0"
},
{
"status": "affected",
"version": "5.0.0"
}
]
}
],
"datePublic": "2023-11-21T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.\u003c/p\u003e"
}
],
"value": "The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:10:05.927Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/919-20231101-core-exposure-of-environment-variables.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20231101] - Core - Exposure of environment variables",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-40626",
"datePublished": "2023-11-29T12:28:47.787Z",
"dateReserved": "2023-08-17T19:37:15.600Z",
"dateUpdated": "2024-12-04T16:10:05.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23797
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 17:28
Severity ?
EPSS score ?
Summary
[20220305] - Core - Inadequate filtering on the selected Ids
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:33.127Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html"
}
],
"title": "[20220305] - Core - Inadequate filtering on the selected Ids",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23797",
"STATE": "PUBLIC",
"TITLE": "[20220305] - Core - Inadequate filtering on the selected Ids"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23797",
"datePublished": "2022-03-30T15:20:29.271982Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T17:28:28.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23794
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-17 02:41
Severity ?
EPSS score ?
Summary
[20220302] - Core - Path Disclosure within filesystem error messages
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS | |
| Joomla! Project | joomla/filesystem |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.080Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
},
{
"product": "joomla/filesystem",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.6.1 \u0026 2.0.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:29.418Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html"
}
],
"title": "[20220302] - Core - Path Disclosure within filesystem error messages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23794",
"STATE": "PUBLIC",
"TITLE": "[20220302] - Core - Path Disclosure within filesystem error messages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/filesystem",
"version": {
"version_data": [
{
"version_value": "1.0.0-1.6.1 \u0026 2.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23794",
"datePublished": "2022-03-30T15:20:24.272061Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-17T02:41:10.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-25227
Vulnerability from cvelistv5
Published
2025-04-08 16:24
Modified
2025-04-21 07:16
Severity ?
EPSS score ?
Summary
[20250402] - Joomla Core - MFA Authentication Bypass
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T18:54:33.776174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T18:56:15.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.12"
},
{
"status": "affected",
"version": "5.0.0-5.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient state checks lead to a vector that allows to bypass 2FA checks."
}
],
"value": "Insufficient state checks lead to a vector that allows to bypass 2FA checks."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115: Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T07:16:35.672Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20250402] - Joomla Core - MFA Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-25227",
"datePublished": "2025-04-08T16:24:18.330Z",
"dateReserved": "2025-02-04T14:21:34.509Z",
"dateUpdated": "2025-04-21T07:16:35.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23798
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 22:19
Severity ?
EPSS score ?
Summary
[20220306] - Core - Inadequate validation of internal URLs
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:20.836Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html"
}
],
"title": "[20220306] - Core - Inadequate validation of internal URLs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23798",
"STATE": "PUBLIC",
"TITLE": "[20220306] - Core - Inadequate validation of internal URLs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23798",
"datePublished": "2022-03-30T15:20:30.757090Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T22:19:54.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35612
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 23:10
Severity ?
EPSS score ?
Summary
[20201103] - Core - Path traversal in mod_random_image
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:33:52.940Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html"
}
],
"title": "[20201103] - Core - Path traversal in mod_random_image",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35612",
"STATE": "PUBLIC",
"TITLE": "[20201103] - Core - Path traversal in mod_random_image"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35612",
"datePublished": "2020-12-28T19:39:18.241087Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T23:10:23.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23125
Vulnerability from cvelistv5
Published
2021-01-12 20:19
Modified
2024-09-16 17:27
Severity ?
EPSS score ?
Summary
[20210103] - Core - XSS in com_tags image parameters
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.1.0-3.9.23"
}
]
}
],
"datePublic": "2021-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:14.555Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html"
}
],
"title": "[20210103] - Core - XSS in com_tags image parameters",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-01-12T16:00:00",
"ID": "CVE-2021-23125",
"STATE": "PUBLIC",
"TITLE": "[20210103] - Core - XSS in com_tags image parameters"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.1.0-3.9.23"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23125",
"datePublished": "2021-01-12T20:19:49.583211Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T17:27:49.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26035
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-16 17:43
Severity ?
EPSS score ?
Summary
[20210701] - Core - XSS in JForm Rules field
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:15.577Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html"
}
],
"title": "[20210701] - Core - XSS in JForm Rules field",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26035",
"STATE": "PUBLIC",
"TITLE": "[20210701] - Core - XSS in JForm Rules field"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26035",
"datePublished": "2021-07-07T10:12:45.054468Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T17:43:25.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23793
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 20:59
Severity ?
EPSS score ?
Summary
[20220301] - Core - Zip Slip within the Tar extractor
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html | x_refsource_MISC, vendor-advisory | |
| http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS | |
| Joomla! Project | joomla/archive |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
},
{
"product": "joomla/archive",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.1.11 \u0026 2.0.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:35.863Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html"
}
],
"title": "[20220301] - Core - Zip Slip within the Tar extractor",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23793",
"STATE": "PUBLIC",
"TITLE": "[20220301] - Core - Zip Slip within the Tar extractor"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/archive",
"version": {
"version_data": [
{
"version_value": "1.0.0-1.1.11 \u0026 2.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html"
},
{
"name": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23793",
"datePublished": "2022-03-30T15:20:22.462121Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T20:59:09.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26034
Vulnerability from cvelistv5
Published
2021-05-26 10:22
Modified
2024-09-17 01:35
Severity ?
EPSS score ?
Summary
[20210503] - Core - CSRF in data download endpoints
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.26"
}
]
}
],
"datePublic": "2021-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:02.199Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html"
}
],
"title": "[20210503] - Core - CSRF in data download endpoints",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-05-25T16:00:00",
"ID": "CVE-2021-26034",
"STATE": "PUBLIC",
"TITLE": "[20210503] - Core - CSRF in data download endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.26"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26034",
"datePublished": "2021-05-26T10:22:34.269999Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T01:35:34.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21724
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2025-03-29 04:35
Severity ?
EPSS score ?
Summary
[20240203] - Core - XSS in media selection fields
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T14:47:55.865463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T21:16:17.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/927-20240203-core-xss-in-media-selection-fields.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.6.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominik Ziegelm\u00fcller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions."
}
],
"value": "Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-29T04:35:15.450Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/927-20240203-core-xss-in-media-selection-fields.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240203] - Core - XSS in media selection fields",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21724",
"datePublished": "2024-02-20T16:22:56.838Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2025-03-29T04:35:15.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21726
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-12-25 04:35
Severity ?
EPSS score ?
Summary
[20240205] - Core - Inadequate content filtering within the filter code
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T20:46:25.073985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T20:25:00.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stefan Schiller (Sonar)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate content filtering leads to XSS vulnerabilities in various components."
}
],
"value": "Inadequate content filtering leads to XSS vulnerabilities in various components."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T04:35:19.649Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html"
},
{
"tags": [
"technical-description"
],
"url": "https://www.sonarsource.com/blog/joomla-multiple-xss-vulnerabilities/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240205] - Core - Inadequate content filtering within the filter code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21726",
"datePublished": "2024-02-20T16:22:36.946Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2024-12-25T04:35:19.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26279
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2025-03-26 04:34
Severity ?
EPSS score ?
Summary
[20240704] - Core - XSS in Wrapper extensions
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/938-20240704-core-xss-in-wrapper-extensions.html | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T17:48:49.944961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T17:50:08.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:18.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/938-20240704-core-xss-in-wrapper-extensions.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.15"
},
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The wrapper extensions do not correctly validate inputs, leading to XSS vectors."
}
],
"value": "The wrapper extensions do not correctly validate inputs, leading to XSS vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T04:34:05.778Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/938-20240704-core-xss-in-wrapper-extensions.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240704] - Core - XSS in Wrapper extensions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-26279",
"datePublished": "2024-07-09T16:15:48.485Z",
"dateReserved": "2024-02-15T12:00:47.368Z",
"dateUpdated": "2025-03-26T04:34:05.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21729
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2025-03-26 04:33
Severity ?
EPSS score ?
Summary
[20240701] - Core - XSS in accessible media selection field
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T20:33:43.558188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T16:28:50.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/935-20240701-core-xss-in-accessible-media-selection-field.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Kadlubski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field."
}
],
"value": "Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T04:33:56.179Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/935-20240701-core-xss-in-accessible-media-selection-field.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240701] - Core - XSS in accessible media selection field",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21729",
"datePublished": "2024-07-09T16:15:51.461Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2025-03-26T04:33:56.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26278
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2025-03-14 04:35
Severity ?
EPSS score ?
Summary
[20240705] - Core - XSS in com_fields default field value
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T16:34:58.108570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T16:00:59.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/939-20240705-core-xss-in-com-fields-default-field-value.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.15"
},
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Custom Fields component not correctly filter inputs, leading to a XSS vector."
}
],
"value": "The Custom Fields component not correctly filter inputs, leading to a XSS vector."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T04:35:37.574Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/939-20240705-core-xss-in-com-fields-default-field-value.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240705] - Core - XSS in com_fields default field value",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-26278",
"datePublished": "2024-07-09T16:15:44.821Z",
"dateReserved": "2024-02-15T12:00:47.368Z",
"dateUpdated": "2025-03-14T04:35:37.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40748
Vulnerability from cvelistv5
Published
2025-01-07 16:22
Modified
2025-01-08 14:51
Severity ?
EPSS score ?
Summary
[20250102] - Core - XSS vector in the id attribute of menu lists
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:49:52.190840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:51:06.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.19"
},
{
"status": "affected",
"version": "4.0.0-4.4.9"
},
{
"status": "affected",
"version": "5.0.0-5.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lokesh Dachepalli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of output escaping in the id attribute of menu lists."
}
],
"value": "Lack of output escaping in the id attribute of menu lists."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:22:00.896Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/955-20250102-core-xss-vector-in-the-id-attribute-of-menu-lists.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20250102] - Core - XSS vector in the id attribute of menu lists",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40748",
"datePublished": "2025-01-07T16:22:00.896Z",
"dateReserved": "2024-07-09T18:05:54.409Z",
"dateUpdated": "2025-01-08T14:51:06.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40743
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-11-03 04:33
Severity ?
EPSS score ?
Summary
[20240805] - Core - XSS vectors in Outputfilter::strip* methods
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T16:13:51.725254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T14:19:58.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.16"
},
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The stripImages and stripIframes methods didn\u0027t properly process inputs, leading to XSS vectors."
}
],
"value": "The stripImages and stripIframes methods didn\u0027t properly process inputs, leading to XSS vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-03T04:33:21.199Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/946-20240805-core-xss-vectors-in-outputfilter-strip-methods.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240805] - Core - XSS vectors in Outputfilter::strip* methods",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40743",
"datePublished": "2024-08-20T16:03:45.461Z",
"dateReserved": "2024-07-09T16:16:21.863Z",
"dateUpdated": "2024-11-03T04:33:21.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23126
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 19:56
Severity ?
EPSS score ?
Summary
[20210301] - Core - Insecure randomness within 2FA secret generation
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Randomness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:07.439Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "[20210301] - Core - Insecure randomness within 2FA secret generation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23126",
"STATE": "PUBLIC",
"TITLE": "[20210301] - Core - Insecure randomness within 2FA secret generation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Randomness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23126",
"datePublished": "2021-03-04T17:37:14.262006Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T19:56:11.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26040
Vulnerability from cvelistv5
Published
2021-08-24 14:20
Modified
2024-09-17 03:13
Severity ?
EPSS score ?
Summary
[20210801] - Core - Insufficient access control for com_media deletion endpoint
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0"
}
]
}
],
"datePublic": "2021-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user\u0027s permissions before executing a file deletion command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:19.507Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint"
}
],
"title": "[20210801] - Core - Insufficient access control for com_media deletion endpoint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-08-24T16:00:00",
"ID": "CVE-2021-26040",
"STATE": "PUBLIC",
"TITLE": "[20210801] - Core - Insufficient access control for com_media deletion endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user\u0027s permissions before executing a file deletion command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26040",
"datePublished": "2021-08-24T14:20:13.190253Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T03:13:32.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23129
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 22:20
Severity ?
EPSS score ?
Summary
[20210303] - Core - XSS within alert messages showed to users
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:47.368Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html"
}
],
"title": "[20210303] - Core - XSS within alert messages showed to users",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23129",
"STATE": "PUBLIC",
"TITLE": "[20210303] - Core - XSS within alert messages showed to users"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23129",
"datePublished": "2021-03-04T17:37:14.594061Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T22:20:48.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23799
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 16:37
Severity ?
EPSS score ?
Summary
[20220307] - Core - Variable Tampering on JInput $_REQUEST data
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS | |
| Joomla! Project | joomla/input |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.1.0"
}
]
},
{
"product": "joomla/input",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.0.0-2.0.1"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Variable Tampering",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:54.784Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html"
}
],
"title": "[20220307] - Core - Variable Tampering on JInput $_REQUEST data",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23799",
"STATE": "PUBLIC",
"TITLE": "[20220307] - Core - Variable Tampering on JInput $_REQUEST data"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/input",
"version": {
"version_data": [
{
"version_value": "2.0.0-2.0.1"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Variable Tampering"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23799",
"datePublished": "2022-03-30T15:20:32.231485Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T16:37:47.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21723
Vulnerability from cvelistv5
Published
2024-02-20 16:23
Modified
2024-12-04 16:09
Severity ?
EPSS score ?
Summary
[20240202] - Core - Open redirect in installation application
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-01T18:39:52.520855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T15:15:31.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/926-20240202-core-open-redirect-in-installation-application.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.5.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xishir"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate parsing of URLs could result into an open redirect."
}
],
"value": "Inadequate parsing of URLs could result into an open redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:09:52.726Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/926-20240202-core-open-redirect-in-installation-application.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240202] - Core - Open redirect in installation application",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21723",
"datePublished": "2024-02-20T16:23:25.802Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-12-04T16:09:52.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35611
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 20:02
Severity ?
EPSS score ?
Summary
[20201102] - Core - Disclosure of secrets in Global Configuration page
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:55.963Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html"
}
],
"title": "[20201102] - Core - Disclosure of secrets in Global Configuration page",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35611",
"STATE": "PUBLIC",
"TITLE": "[20201102] - Core - Disclosure of secrets in Global Configuration page"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35611",
"datePublished": "2020-12-28T19:39:18.132811Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T20:02:48.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40747
Vulnerability from cvelistv5
Published
2025-01-07 16:22
Modified
2025-01-07 16:57
Severity ?
EPSS score ?
Summary
[20250101] - Core - XSS vectors in module chromes
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:57:25.464067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:57:51.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.9"
},
{
"status": "affected",
"version": "5.0.0-5.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Catalin Iovita"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Various module chromes didn\u0027t properly process inputs, leading to XSS vectors."
}
],
"value": "Various module chromes didn\u0027t properly process inputs, leading to XSS vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:22:02.501Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/954-20250101-core-xss-vectors-in-module-chromes.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20250101] - Core - XSS vectors in module chromes",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40747",
"datePublished": "2025-01-07T16:22:02.501Z",
"dateReserved": "2024-07-09T16:16:21.865Z",
"dateUpdated": "2025-01-07T16:57:51.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23124
Vulnerability from cvelistv5
Published
2021-01-12 20:19
Modified
2024-09-16 16:23
Severity ?
EPSS score ?
Summary
[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.9.0-3.9.23"
}
]
}
],
"datePublic": "2021-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:05.202Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html"
}
],
"title": "[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-01-12T16:00:00",
"ID": "CVE-2021-23124",
"STATE": "PUBLIC",
"TITLE": "[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.9.0-3.9.23"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23124",
"datePublished": "2021-01-12T20:19:49.480301Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T16:23:39.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23130
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 02:21
Severity ?
EPSS score ?
Summary
[20210304] - Core - XSS within the feed parser library
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:49.568Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html"
}
],
"title": "[20210304] - Core - XSS within the feed parser library",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23130",
"STATE": "PUBLIC",
"TITLE": "[20210304] - Core - XSS within the feed parser library"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23130",
"datePublished": "2021-03-04T17:37:14.702009Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T02:21:25.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35614
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 22:35
Severity ?
EPSS score ?
Summary
[20201105] - Core - User Enumeration in backend login
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.9.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:43.791Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html"
}
],
"title": "[20201105] - Core - User Enumeration in backend login",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35614",
"STATE": "PUBLIC",
"TITLE": "[20201105] - Core - User Enumeration in backend login"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.9.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35614",
"datePublished": "2020-12-28T19:39:18.455789Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T22:35:21.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26031
Vulnerability from cvelistv5
Published
2021-04-14 17:35
Modified
2024-09-17 01:01
Severity ?
EPSS score ?
Summary
[20210402] - Core - Inadequate filters on module layout settings
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.25"
}
]
}
],
"datePublic": "2021-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "LFI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:51.801Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html"
}
],
"title": "[20210402] - Core - Inadequate filters on module layout settings",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-04-13T16:00:00",
"ID": "CVE-2021-26031",
"STATE": "PUBLIC",
"TITLE": "[20210402] - Core - Inadequate filters on module layout settings"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.25"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "LFI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26031",
"datePublished": "2021-04-14T17:35:34.974375Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T01:01:47.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23796
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-17 02:27
Severity ?
EPSS score ?
Summary
[20220304] - Core - Missing input validation within com_fields class inputs
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.6"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:55.663Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html"
}
],
"title": "[20220304] - Core - Missing input validation within com_fields class inputs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23796",
"STATE": "PUBLIC",
"TITLE": "[20220304] - Core - Missing input validation within com_fields class inputs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.7.0-3.10.6"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23796",
"datePublished": "2022-03-30T15:20:27.595867Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-17T02:27:29.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27913
Vulnerability from cvelistv5
Published
2022-10-25 19:00
Modified
2024-09-16 17:15
Severity ?
EPSS score ?
Summary
[20221002] - Core - RXSS through reflection of user input in headings
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/886-20221002-core-reflected-xss-in-various-components.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-4.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ajith Menon"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected Cross-Site Scripting (XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:02.488Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/886-20221002-core-reflected-xss-in-various-components.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20221002] - Core - RXSS through reflection of user input in headings",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27913",
"datePublished": "2022-10-25T19:00:15.710464Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-09-16T17:15:02.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26027
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 00:56
Severity ?
EPSS score ?
Summary
[20210307] - Core - ACL violation within com_content frontend editing
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL violation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:04.824Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
],
"title": "[20210307] - Core - ACL violation within com_content frontend editing",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-26027",
"STATE": "PUBLIC",
"TITLE": "[20210307] - Core - ACL violation within com_content frontend editing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ACL violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26027",
"datePublished": "2021-03-04T17:37:15.005802Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T00:56:00.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23128
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 01:46
Severity ?
EPSS score ?
Summary
[20210302] - Core - Potential Insecure FOFEncryptRandval
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to \u0027random_bytes()\u0027 and its backport that is shipped within random_compat."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Randomness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:19.495Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"
}
],
"title": "[20210302] - Core - Potential Insecure FOFEncryptRandval",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23128",
"STATE": "PUBLIC",
"TITLE": "[20210302] - Core - Potential Insecure FOFEncryptRandval"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to \u0027random_bytes()\u0027 and its backport that is shipped within random_compat."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Randomness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23128",
"datePublished": "2021-03-04T17:37:14.499073Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T01:46:00.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26028
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 20:46
Severity ?
EPSS score ?
Summary
[20210308] - Core - Path Traversal within joomla/archive zip class
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:07.514Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html"
}
],
"title": "[20210308] - Core - Path Traversal within joomla/archive zip class",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-26028",
"STATE": "PUBLIC",
"TITLE": "[20210308] - Core - Path Traversal within joomla/archive zip class"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26028",
"datePublished": "2021-03-04T17:37:15.113567Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T20:46:55.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26039
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-16 16:24
Severity ?
EPSS score ?
Summary
[20210705] - Core - XSS in com_media imagelist
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:25.768Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html"
}
],
"title": "[20210705] - Core - XSS in com_media imagelist",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26039",
"STATE": "PUBLIC",
"TITLE": "[20210705] - Core - XSS in com_media imagelist"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26039",
"datePublished": "2021-07-07T10:12:48.839634Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T16:24:06.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26036
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-16 20:11
Severity ?
EPSS score ?
Summary
[20210702] - Core - DoS through usergroup table manipulation
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:57.898Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html"
}
],
"title": "[20210702] - Core - DoS through usergroup table manipulation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26036",
"STATE": "PUBLIC",
"TITLE": "[20210702] - Core - DoS through usergroup table manipulation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26036",
"datePublished": "2021-07-07T10:12:46.110023Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T20:11:38.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27912
Vulnerability from cvelistv5
Published
2022-10-25 19:00
Modified
2024-09-16 22:31
Severity ?
EPSS score ?
Summary
[20221001] - Core - Debug Mode leaks full request payloads including passwords
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:10.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/885-20221001-core-disclosure-of-critical-information-in-debug-mode.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Peter Martin"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:44.795Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/885-20221001-core-disclosure-of-critical-information-in-debug-mode.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20221001] - Core - Debug Mode leaks full request payloads including passwords",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27912",
"datePublished": "2022-10-25T19:00:14.614946Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-09-16T22:31:14.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-22213
Vulnerability from cvelistv5
Published
2025-03-11 16:07
Modified
2025-03-11 19:24
Severity ?
EPSS score ?
Summary
[20250301] - Core - Malicious file uploads via Media Manager
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T19:24:33.147202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T19:24:44.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.11"
},
{
"status": "affected",
"version": "5.0.0-5.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ErPaciocco"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate checks in the Media Manager allowed users with \"edit\" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions."
}
],
"value": "Inadequate checks in the Media Manager allowed users with \"edit\" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T16:07:28.921Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/961-20250301-core-malicious-file-uploads-via-media-managere-malicious-file-uploads-via-media-manager.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20250301] - Core - Malicious file uploads via Media Manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-22213",
"datePublished": "2025-03-11T16:07:28.921Z",
"dateReserved": "2025-01-01T04:33:02.765Z",
"dateUpdated": "2025-03-11T19:24:44.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23800
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 19:35
Severity ?
EPSS score ?
Summary
[20220308] - Core - Inadequate content filtering within the filter code
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS | |
| Joomla! Project | joomla/filter |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.1.0"
}
]
},
{
"product": "joomla/filter",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.4.3 \u0026 2.0.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:03.881Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html"
}
],
"title": "[20220308] - Core - Inadequate content filtering within the filter code",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23800",
"STATE": "PUBLIC",
"TITLE": "[20220308] - Core - Inadequate content filtering within the filter code"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/filter",
"version": {
"version_data": [
{
"version_value": "1.0.0-1.4.3 \u0026 2.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23800",
"datePublished": "2022-03-30T15:20:33.653594Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T19:35:06.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23127
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 23:32
Severity ?
EPSS score ?
Summary
[20210301] - Core - Insecure randomness within 2FA secret generation
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html | x_refsource_MISC, vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Joomla! Project | Joomla! CMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Randomness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:43.519Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "[20210301] - Core - Insecure randomness within 2FA secret generation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23127",
"STATE": "PUBLIC",
"TITLE": "[20210301] - Core - Insecure randomness within 2FA secret generation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Randomness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23127",
"datePublished": "2021-03-04T17:37:14.392198Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T23:32:03.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}