| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-6264 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability. |
|
2 |
CVE-2019-6261 |
79 |
|
XSS |
2019-01-16 |
2019-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability. |
|
3 |
CVE-2018-17859 |
254 |
|
|
2018-10-09 |
2018-11-26 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms. |
|
4 |
CVE-2018-17857 |
284 |
|
|
2018-10-09 |
2018-11-26 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation. |
|
5 |
CVE-2018-12711 |
79 |
|
XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL. |
|
6 |
CVE-2018-11327 |
200 |
|
+Info |
2018-05-22 |
2018-06-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission. |
|
7 |
CVE-2018-11324 |
362 |
|
|
2018-05-22 |
2018-06-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated. |
|
8 |
CVE-2018-11321 |
20 |
|
|
2018-05-22 |
2018-06-22 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. |
|
9 |
CVE-2018-6380 |
79 |
|
XSS |
2018-01-30 |
2018-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system. |
|
10 |
CVE-2018-6379 |
79 |
|
XSS |
2018-01-30 |
2018-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability. |
|
11 |
CVE-2018-6378 |
79 |
|
XSS |
2018-05-22 |
2018-06-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager. |
|
12 |
CVE-2018-6377 |
79 |
|
XSS |
2018-01-30 |
2018-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox |
|
13 |
CVE-2017-16633 |
200 |
|
+Info |
2017-11-09 |
2017-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users. |
|
14 |
CVE-2017-14595 |
200 |
|
+Info |
2017-09-20 |
2017-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. |
|
15 |
CVE-2017-11612 |
79 |
|
XSS |
2017-07-26 |
2017-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. |
|
16 |
CVE-2017-9934 |
79 |
|
XSS CSRF |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability. |
|
17 |
CVE-2017-7989 |
434 |
|
|
2017-04-25 |
2017-05-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden. |
|
18 |
CVE-2017-7987 |
79 |
|
XSS |
2017-04-25 |
2017-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component. |
|
19 |
CVE-2017-7986 |
79 |
|
XSS |
2017-04-25 |
2017-05-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components. |
|
20 |
CVE-2017-7985 |
79 |
|
XSS |
2017-04-25 |
2017-09-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components. |
|
21 |
CVE-2017-7984 |
79 |
|
XSS |
2017-04-25 |
2017-05-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component. |
|
22 |
CVE-2015-6939 |
79 |
|
XSS |
2015-09-18 |
2016-12-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the login module in Joomla! 3.4.x before 3.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
23 |
CVE-2014-7983 |
79 |
|
XSS |
2014-10-08 |
2014-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in com_contact in Joomla! CMS 3.1.2 through 3.2.x before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
24 |
CVE-2014-7982 |
79 |
|
XSS |
2014-10-08 |
2014-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
25 |
CVE-2014-6631 |
79 |
|
XSS |
2014-10-08 |
2014-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in com_media in Joomla! 3.2.x before 3.2.5 and 3.3.x before 3.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
26 |
CVE-2014-0794 |
79 |
1
|
Exec Code Sql XSS |
2014-01-26 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action to index.php. |
|
27 |
CVE-2013-5583 |
79 |
|
XSS |
2013-12-28 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. |
|
28 |
CVE-2013-3267 |
79 |
|
XSS |
2013-05-03 |
2013-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the highlighter plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
29 |
CVE-2013-3059 |
79 |
|
XSS |
2013-05-03 |
2013-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Voting plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
30 |
CVE-2013-3058 |
79 |
|
XSS |
2013-05-03 |
2013-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31 |
CVE-2013-3057 |
264 |
|
Bypass |
2013-05-03 |
2013-05-03 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and list the privileges of arbitrary users via unspecified vectors. |
|
32 |
CVE-2013-3056 |
264 |
|
Bypass |
2013-05-03 |
2013-05-03 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and delete the private messages of arbitrary users via unspecified vectors. |
|
33 |
CVE-2012-5827 |
|
|
|
2012-11-11 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Joomla! 2.5.x before 2.5.8 and 3.0.x before 3.0.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors involving "Inadequate protection." |
|
34 |
CVE-2012-5455 |
79 |
|
XSS |
2012-10-22 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the language search component in Joomla! before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "typographical error." |
|
35 |
CVE-2012-4532 |
79 |
|
XSS |
2012-10-31 |
2012-11-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl/default.php in the Language Switcher module for Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party information. |
|
36 |
CVE-2012-4531 |
79 |
|
XSS |
2012-10-31 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
37 |
CVE-2012-3828 |
79 |
1
|
XSS |
2012-07-03 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the Host HTTP Header. |
|
38 |
CVE-2012-2413 |
79 |
|
XSS |
2014-10-20 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php. |
|
39 |
CVE-2012-1612 |
79 |
|
XSS |
2012-09-06 |
2012-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the update manager in Joomla! 2.5.x before 2.5.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
40 |
CVE-2012-1117 |
79 |
|
XSS |
2012-09-25 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.0 and 2.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
41 |
CVE-2012-0822 |
79 |
|
XSS |
2012-09-06 |
2012-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 1.6 and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0820. |
|
42 |
CVE-2012-0820 |
79 |
|
XSS |
2012-09-06 |
2012-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0822. |
|
43 |
CVE-2011-4910 |
79 |
|
XSS |
2012-10-07 |
2012-10-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! before 1.5.12 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. |
|
44 |
CVE-2011-4909 |
79 |
|
XSS |
2012-10-07 |
2012-10-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script or HTML via the HTTP_REFERER header to (1) components/com_content/views/article/tmpl/form.php, (2) components/com_user/controller.php, (3) plugins/system/legacy/html.php, or (4) templates/beez/html/com_content/article/form.php. |
|
45 |
CVE-2011-4332 |
79 |
|
XSS |
2011-11-23 |
2011-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
46 |
CVE-2011-2892 |
20 |
|
|
2011-07-27 |
2011-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
|
47 |
CVE-2011-2710 |
79 |
|
XSS |
2011-07-27 |
2018-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5. |
|
48 |
CVE-2011-2509 |
79 |
|
XSS |
2011-07-27 |
2018-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. |
|
49 |
CVE-2011-0005 |
79 |
1
|
XSS |
2011-01-10 |
2018-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the com_search module for Joomla! 1.0.x through 1.0.15 allows remote attackers to inject arbitrary web script or HTML via the ordering parameter to index.php. |
|
50 |
CVE-2010-3712 |
79 |
|
XSS |
2010-10-27 |
2018-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x before 1.5.21 and 1.6.x before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving "multiple encoded entities," as demonstrated by the query string to index.php in the com_weblinks or com_content component. |
