| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-3242 |
20 |
|
DoS |
2013-05-03 |
2013-05-03 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors. |
|
2 |
CVE-2013-1455 |
200 |
|
+Info |
2013-02-12 |
2013-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to an "Undefined variable." |
|
3 |
CVE-2013-1454 |
200 |
|
+Info |
2013-02-12 |
2013-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to "Coding errors." |
|
4 |
CVE-2013-1453 |
200 |
|
Sql +Info |
2013-02-12 |
2013-03-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via the highlight parameter. Note: it was originally reported that this issue only allowed attackers to obtain sensitive information, but later analysis demonstrated that other attacks exist. |
|
5 |
CVE-2012-3829 |
200 |
1
|
+Info |
2012-07-03 |
2012-07-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 2.5.3 allows remote attackers to obtain the installation path via the Host HTTP Header. |
|
6 |
CVE-2012-2748 |
|
|
+Info |
2012-07-03 |
2012-07-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to obtain sensitive information via vectors related to "Inadequate filtering" and a "SQL error." |
|
7 |
CVE-2012-1611 |
264 |
|
+Info |
2012-09-06 |
2012-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 2.5.x before 2.5.4 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end" information via unknown attack vectors. NOTE: this might be a duplicate of CVE-2012-1599. |
|
8 |
CVE-2012-1599 |
264 |
|
+Info |
2012-12-03 |
2012-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.5.x before 1.5.26 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end information" via unknown vectors. NOTE: this might be a duplicate of CVE-2012-1611. |
|
9 |
CVE-2012-0837 |
200 |
|
+Info |
2012-09-06 |
2012-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to obtain the installation path via unspecified vectors related to "administrator." |
|
10 |
CVE-2012-0836 |
|
|
|
2012-09-06 |
2012-09-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 allows attackers to read the error log via unknown vectors. |
|
11 |
CVE-2012-0835 |
|
|
+Info |
2012-09-06 |
2012-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to obtain sensitive information via unknown vectors related to "administrator." |
|
12 |
CVE-2012-0821 |
|
|
+Info |
2012-09-06 |
2012-09-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2012-0819. |
|
13 |
CVE-2012-0819 |
|
|
+Info |
2012-09-06 |
2012-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2012-0821. |
|
14 |
CVE-2011-4911 |
20 |
|
|
2012-10-07 |
2012-10-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! before 1.5.12 does not perform a JEXEC check in unspecified files, which allows remote attackers to obtain the installation path via unspecified vectors. |
|
15 |
CVE-2011-4321 |
310 |
|
|
2011-11-23 |
2011-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The password reset functionality in Joomla! 1.5.x through 1.5.24 uses weak random numbers, which makes it easier for remote attackers to change the passwords of arbitrary users via unspecified vectors. |
|
16 |
CVE-2011-3747 |
200 |
|
+Info |
2011-09-23 |
2012-03-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.6.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by libraries/phpmailer/language/phpmailer.lang-joomla.php. |
|
17 |
CVE-2011-2891 |
200 |
|
+Info |
2011-07-27 |
2011-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488. |
|
18 |
CVE-2011-2890 |
200 |
|
+Info |
2011-07-27 |
2011-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488. |
|
19 |
CVE-2011-2889 |
200 |
|
+Info |
2011-07-27 |
2011-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488. |
|
20 |
CVE-2011-2488 |
200 |
|
+Info |
2011-07-27 |
2011-07-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
21 |
CVE-2009-3946 |
200 |
|
+Info |
2009-11-16 |
2009-11-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number, via a direct request. |
|
22 |
CVE-2009-3945 |
|
|
|
2009-11-16 |
2009-11-17 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Unspecified vulnerability in the Front-End Editor in the com_content component in Joomla! before 1.5.15 allows remote authenticated users, with Author privileges, to replace the articles of an arbitrary user via unknown vectors. |
|
23 |
CVE-2009-0113 |
22 |
1
|
Dir. Trav. |
2009-01-09 |
2009-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in attachmentlibrary.php in the XStandard component for Joomla! 1.5.8 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the X_CMS_LIBRARY_PATH HTTP header. |
|
24 |
CVE-2008-4122 |
310 |
|
|
2008-12-19 |
2009-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.5.8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. |
|
25 |
CVE-2008-4104 |
59 |
|
|
2008-09-18 |
2009-08-19 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple open redirect vulnerabilities in Joomla! 1.5 before 1.5.7 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a "passed in" URL. |
|
26 |
CVE-2008-4103 |
20 |
|
|
2008-09-18 |
2009-08-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The mailto (aka com_mailto) component in Joomla! 1.5 before 1.5.7 sends e-mail messages without validating the URL, which allows remote attackers to transmit spam. |
|
27 |
CVE-2008-3226 |
264 |
|
|
2008-07-18 |
2009-06-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The file caching implementation in Joomla! before 1.5.4 allows attackers to access cached pages via unknown attack vectors. |
|
28 |
CVE-2007-4504 |
|
1
|
Dir. Trav. |
2007-08-23 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action. |
|
29 |
CVE-2007-4185 |
|
|
+Info |
2007-08-07 |
2008-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.0.12 allows remote attackers to obtain sensitive information via a direct request for (1) Stat.php (2) OutputFilter.php, (3) OutputCache.php, (4) Modifier.php, (5) Reader.php, and (6) TemplateCache.php in includes/patTemplate/patTemplate/; (7) includes/Cache/Lite/Output.php; and other unspecified components, which reveal the path in various error messages. |
|
30 |
CVE-2007-0375 |
|
|
+Info |
2007-01-19 |
2008-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.5.0 Beta allows remote attackers to obtain sensitive information via a direct request for (1) plugins/user/example.php; (2) gmail.php, (3) example.php, or (4) ldap.php in plugins/authentication/; (5) modules/mod_mainmenu/menu.php; or other unspecified PHP scripts, which reveals the path in various error messages, related to a jimport function call at the beginning of each script. |
|
31 |
CVE-2006-4473 |
|
|
|
2006-08-31 |
2008-09-05 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in com_content in Joomla! before 1.0.11, when $mosConfig_hideEmail is set, allows attackers to perform the emailform and emailsend tasks. |
|
32 |
CVE-2006-4466 |
20 |
|
|
2006-08-31 |
2011-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Joomla! before 1.0.11 does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to have an unspecified impact. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Joomla!. |
|
33 |
CVE-2006-4242 |
|
|
Exec Code File Inclusion |
2006-08-21 |
2008-09-05 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in install.jim.php in the JIM 1.0.1 component for Joomla or Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
|
34 |
CVE-2006-3480 |
|
|
XSS |
2006-07-10 |
2008-09-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.10 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters involving the (1) getUserStateFromRequest function, and the (2) SEF and (3) com_messages modules. |
|
35 |
CVE-2006-1957 |
20 |
|
DoS |
2006-04-21 |
2013-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter. |
|
36 |
CVE-2006-1956 |
|
|
+Info |
2006-04-21 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to obtain sensitive information via an invalid feed parameter, which reveals the path in an error message. |
|
37 |
CVE-2006-1048 |
|
|
+Priv Bypass |
2006-03-07 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Joomla! 1.0.7 and earlier allows attackers to bypass intended access restrictions and gain certain privileges via certain attack vectors related to the (1) Weblink, (2) Polls, (3) Newsfeeds, (4) Weblinks, (5) Content, (6) Content Section, (7) Content Category, (8) Contact items, or (9) Contact Search, (10) Content Search, (11) Newsfeed Search, or (12) Weblink Search. |
|
38 |
CVE-2006-1030 |
|
|
+Info |
2006-03-06 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in mod_templatechooser in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via an unspecified attack vector that reveals the path. |
|
39 |
CVE-2006-1027 |
|
|
+Info |
2006-03-06 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via a "/" (slash) in the feed parameter to index.php, which reveals the path in an error message. |
|
40 |
CVE-2006-0114 |
264 |
|
|
2006-01-09 |
2011-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows remote attackers to obtain valid e-mail addresses to conduct spam attacks by modifying the contact_id parameter to index2.php. |
|
41 |
CVE-2005-4650 |
|
|
DoS |
2005-12-31 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Joomla! 1.03 does not restrict the number of "Search" Mambots, which allows remote attackers to cause a denial of service (resource consumption) via a large number of Search Mambots. |
