# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-23798 |
601 |
|
|
2022-03-30 |
2022-04-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not. |
2 |
CVE-2022-23794 |
209 |
|
|
2022-03-30 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application. |
3 |
CVE-2022-23793 |
22 |
|
Dir. Trav. |
2022-03-30 |
2022-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path. |
4 |
CVE-2021-26037 |
613 |
|
|
2021-07-07 |
2021-07-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked. |
5 |
CVE-2021-26036 |
20 |
|
|
2021-07-07 |
2021-07-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table. |
6 |
CVE-2021-26031 |
|
|
|
2021-04-14 |
2021-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI. |
7 |
CVE-2021-26029 |
|
|
|
2021-03-04 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field. |
8 |
CVE-2021-26027 |
863 |
|
|
2021-03-04 |
2022-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article. |
9 |
CVE-2021-23132 |
|
|
|
2021-03-04 |
2021-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads |
10 |
CVE-2021-23131 |
20 |
|
|
2021-03-04 |
2021-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager. |
11 |
CVE-2021-23126 |
326 |
|
|
2021-03-04 |
2021-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret. |
12 |
CVE-2021-23123 |
862 |
|
|
2021-01-12 |
2021-01-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules. |
13 |
CVE-2020-35616 |
20 |
|
|
2020-12-28 |
2020-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations. |
14 |
CVE-2020-35614 |
200 |
|
+Info |
2020-12-28 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page. |
15 |
CVE-2020-35612 |
22 |
|
Dir. Trav. |
2020-12-28 |
2020-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability. |
16 |
CVE-2020-35611 |
200 |
|
+Info |
2020-12-28 |
2020-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values. |
17 |
CVE-2020-35610 |
|
|
|
2020-12-28 |
2020-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms. |
18 |
CVE-2020-24598 |
601 |
|
|
2020-08-26 |
2020-08-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open redirect. |
19 |
CVE-2020-15699 |
345 |
|
|
2020-07-15 |
2020-07-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration. |
20 |
CVE-2020-15698 |
200 |
|
+Info |
2020-07-15 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information screen could expose Redis or proxy credentials |
21 |
CVE-2020-13763 |
281 |
|
|
2020-06-02 |
2020-10-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users. |
22 |
CVE-2020-11891 |
863 |
|
|
2020-04-21 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups. |
23 |
CVE-2020-11890 |
20 |
|
|
2020-04-21 |
2020-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration. |
24 |
CVE-2020-11889 |
863 |
|
|
2020-04-21 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups. |
25 |
CVE-2020-10240 |
20 |
|
|
2020-03-16 |
2020-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses. |
26 |
CVE-2020-10238 |
668 |
|
|
2020-03-16 |
2020-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors. |
27 |
CVE-2019-19845 |
22 |
|
Dir. Trav. |
2019-12-18 |
2019-12-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure. |
28 |
CVE-2019-18674 |
862 |
|
|
2019-11-06 |
2019-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure. |
29 |
CVE-2019-15028 |
|
|
|
2019-08-14 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms. |
30 |
CVE-2019-10946 |
306 |
|
|
2019-04-10 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users. |
31 |
CVE-2019-9713 |
862 |
|
|
2019-03-12 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access. |
32 |
CVE-2018-15881 |
|
|
|
2018-08-29 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Joomla! before 3.8.12. Inadequate checks regarding disabled fields can lead to an ACL violation. |
33 |
CVE-2018-11325 |
209 |
|
|
2018-05-22 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen. |
34 |
CVE-2017-14596 |
90 |
|
|
2017-09-20 |
2017-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. |
35 |
CVE-2017-9933 |
200 |
|
+Info |
2017-07-17 |
2017-07-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents. |
36 |
CVE-2017-8057 |
200 |
|
+Info |
2017-04-25 |
2017-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused full path disclosures on systems with enabled error reporting. |
37 |
CVE-2017-7988 |
|
|
|
2017-04-25 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of form contents allows overwriting the author of an article. |
38 |
CVE-2017-7983 |
200 |
|
+Info |
2017-04-25 |
2017-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers. |
39 |
CVE-2016-9838 |
284 |
|
|
2016-12-16 |
2017-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task. |
40 |
CVE-2016-9837 |
264 |
|
|
2016-12-16 |
2016-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in templates/beez3/html/com_content/article/default.php in Joomla! before 3.6.5. Inadequate permissions checks in the Beez3 layout override of the com_content article view allow users to view articles that should not be publicly accessible, as demonstrated by an index.php?option=com_content&view=article&id=1&template=beez3 request. |
41 |
CVE-2015-7899 |
284 |
|
+Info |
2015-10-29 |
2015-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors. |
42 |
CVE-2015-7859 |
200 |
|
+Info |
2015-10-29 |
2015-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors. |
43 |
CVE-2015-5608 |
601 |
|
|
2017-09-20 |
2017-09-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1. |
44 |
CVE-2014-7229 |
|
|
DoS |
2014-10-08 |
2014-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Unspecified vulnerability in Joomla! before 2.5.4 before 2.5.26, 3.x before 3.2.6, and 3.3.x before 3.3.5 allows attackers to cause a denial of service via unspecified vectors. |
45 |
CVE-2013-3242 |
20 |
1
|
DoS |
2013-05-03 |
2014-03-07 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors. |
46 |
CVE-2013-1455 |
200 |
|
+Info |
2013-02-13 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to an "Undefined variable." |
47 |
CVE-2013-1454 |
200 |
|
+Info |
2013-02-13 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to "Coding errors." |
48 |
CVE-2012-3829 |
200 |
1
|
+Info |
2012-07-03 |
2012-07-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 2.5.3 allows remote attackers to obtain the installation path via the Host HTTP Header. |
49 |
CVE-2012-2748 |
|
|
+Info |
2012-07-03 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to obtain sensitive information via vectors related to "Inadequate filtering" and a "SQL error." |
50 |
CVE-2012-1611 |
264 |
|
+Info |
2012-09-06 |
2013-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 2.5.x before 2.5.4 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end" information via unknown attack vectors. NOTE: this might be a duplicate of CVE-2012-1599. |