# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-23801 |
79 |
|
XSS |
2022-03-30 |
2022-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media. |
2 |
CVE-2022-23800 |
79 |
|
XSS |
2022-03-30 |
2022-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components. |
3 |
CVE-2022-23796 |
79 |
|
XSS |
2022-03-30 |
2022-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields. |
4 |
CVE-2021-26039 |
79 |
|
XSS |
2021-07-07 |
2021-07-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability. |
5 |
CVE-2021-26038 |
754 |
|
|
2021-07-07 |
2021-07-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already. |
6 |
CVE-2021-26035 |
79 |
|
XSS |
2021-07-07 |
2021-07-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability. |
7 |
CVE-2021-26034 |
352 |
|
CSRF |
2021-05-26 |
2021-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo. |
8 |
CVE-2021-26033 |
352 |
|
CSRF |
2021-05-26 |
2021-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint. |
9 |
CVE-2021-26032 |
79 |
|
XSS |
2021-05-26 |
2021-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors. |
10 |
CVE-2021-26030 |
79 |
|
XSS |
2021-04-14 |
2021-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page |
11 |
CVE-2021-26028 |
22 |
|
Dir. Trav. |
2021-03-04 |
2021-03-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path. |
12 |
CVE-2021-23130 |
79 |
|
XSS |
2021-03-04 |
2021-03-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues. |
13 |
CVE-2021-23129 |
79 |
|
XSS |
2021-03-04 |
2021-03-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues. |
14 |
CVE-2021-23125 |
79 |
|
XSS |
2021-01-12 |
2021-01-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors. |
15 |
CVE-2021-23124 |
79 |
|
XSS |
2021-01-12 |
2021-01-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks. |
16 |
CVE-2020-24599 |
79 |
|
XSS |
2020-08-26 |
2020-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.21. Lack of escaping in mod_latestactions allows XSS attacks. |
17 |
CVE-2020-15697 |
732 |
|
|
2020-07-15 |
2020-07-15 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
An issue was discovered in Joomla! through 3.9.19. Internal read-only fields in the User table class could be modified by users. |
18 |
CVE-2020-15696 |
79 |
|
XSS |
2020-07-15 |
2020-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! through 3.9.19. Lack of input filtering and escaping allows XSS attacks in mod_random_image. |
19 |
CVE-2020-13762 |
79 |
|
XSS |
2020-06-02 |
2020-06-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS. |
20 |
CVE-2020-13761 |
79 |
|
XSS |
2020-06-02 |
2020-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS. |
21 |
CVE-2020-10242 |
79 |
|
XSS |
2020-03-16 |
2020-03-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks. |
22 |
CVE-2020-8421 |
79 |
|
XSS |
2020-01-28 |
2020-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs. |
23 |
CVE-2019-16725 |
79 |
|
XSS |
2019-09-24 |
2019-09-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. |
24 |
CVE-2019-12766 |
79 |
|
XSS |
2019-06-11 |
2023-01-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. |
25 |
CVE-2019-12764 |
|
|
|
2019-06-11 |
2023-01-30 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users. |
26 |
CVE-2019-11809 |
79 |
|
XSS |
2019-05-20 |
2019-05-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. |
27 |
CVE-2019-11358 |
1321 |
|
|
2019-04-20 |
2022-04-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. |
28 |
CVE-2019-9714 |
79 |
|
XSS |
2019-03-12 |
2019-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS. |
29 |
CVE-2019-9712 |
79 |
|
XSS |
2019-03-12 |
2019-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS. |
30 |
CVE-2019-9711 |
79 |
|
XSS |
2019-03-12 |
2019-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS. |
31 |
CVE-2019-7744 |
79 |
|
XSS |
2019-02-12 |
2019-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability. |
32 |
CVE-2019-7742 |
79 |
|
XSS |
2019-02-12 |
2019-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file types and browser-side MIME-type sniffing, causes an XSS attack vector. |
33 |
CVE-2019-7741 |
79 |
|
XSS |
2019-02-12 |
2019-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.3. Inadequate checks at the Global Configuration helpurl settings allowed stored XSS. |
34 |
CVE-2019-7740 |
79 |
|
XSS |
2019-02-12 |
2019-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector. |
35 |
CVE-2019-7739 |
|
|
|
2019-02-12 |
2020-08-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this. |
36 |
CVE-2019-6264 |
79 |
|
XSS |
2019-01-16 |
2019-02-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in mod_banners leads to a stored XSS vulnerability. |
37 |
CVE-2019-6261 |
79 |
|
XSS |
2019-01-16 |
2019-02-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in com_contact leads to a stored XSS vulnerability. |
38 |
CVE-2018-17859 |
|
|
|
2018-10-09 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms. |
39 |
CVE-2018-17857 |
863 |
|
|
2018-10-09 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation. |
40 |
CVE-2018-12711 |
79 |
|
XSS |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL. |
41 |
CVE-2018-11327 |
200 |
|
+Info |
2018-05-22 |
2018-06-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission. |
42 |
CVE-2018-11324 |
362 |
|
|
2018-05-22 |
2018-06-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated. |
43 |
CVE-2018-11321 |
20 |
|
|
2018-05-22 |
2018-06-22 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. |
44 |
CVE-2018-6380 |
79 |
|
XSS |
2018-01-30 |
2018-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system. |
45 |
CVE-2018-6379 |
79 |
|
XSS |
2018-01-30 |
2018-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability. |
46 |
CVE-2018-6378 |
79 |
|
XSS |
2018-05-22 |
2018-06-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! Core before 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager. |
47 |
CVE-2018-6377 |
79 |
|
XSS |
2018-01-30 |
2018-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox |
48 |
CVE-2017-16633 |
200 |
|
+Info |
2017-11-10 |
2017-11-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users. |
49 |
CVE-2017-14595 |
|
|
|
2017-09-20 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. |
50 |
CVE-2017-11612 |
79 |
|
XSS |
2017-07-26 |
2017-07-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. |