Joomla : Security Vulnerabilities, CVEs, (Bypass)
CVE-2023-23752
Known exploited
Public exploit
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Max CVSS
5.3
EPSS Score
94.86%
Published
2023-02-16
Updated
2024-01-09
CISA KEV Added
2024-01-08
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
Max CVSS
9.8
EPSS Score
0.20%
Published
2022-03-30
Updated
2022-04-05
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
Max CVSS
7.5
EPSS Score
0.27%
Published
2019-03-12
Updated
2020-08-24
In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.
Max CVSS
9.8
EPSS Score
1.22%
Published
2017-11-10
Updated
2017-11-28
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.
Max CVSS
7.5
EPSS Score
1.15%
Published
2016-12-16
Updated
2017-09-02
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist these file extensions as uploadable file types.
Max CVSS
9.8
EPSS Score
1.80%
Published
2016-12-05
Updated
2016-12-07
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.26%
Published
2015-10-29
Updated
2015-10-30
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
Max CVSS
7.5
EPSS Score
1.00%
Published
2014-10-08
Updated
2014-10-09
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
Max CVSS
9.8
EPSS Score
0.21%
Published
2021-06-21
Updated
2021-06-25
9 vulnerabilities found