Joomla : Security Vulnerabilities (Bypass)
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
| Max Base Score | 5.3 |
| Published | 2023-02-16 |
| Updated | 2023-02-24 |
| EPSS | 53.86% |
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
| Max Base Score | 9.8 |
| Published | 2022-03-30 |
| Updated | 2022-04-05 |
| EPSS | 0.19% |
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
| Max Base Score | 7.5 |
| Published | 2019-03-12 |
| Updated | 2020-08-24 |
| EPSS | 0.27% |
In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.
| Max Base Score | 9.8 |
| Published | 2017-11-10 |
| Updated | 2017-11-28 |
| EPSS | 1.24% |
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.
| Max Base Score | 7.5 |
| Published | 2016-12-16 |
| Updated | 2017-09-02 |
| EPSS | 1.15% |
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist these file extensions as uploadable file types.
| Max Base Score | 9.8 |
| Published | 2016-12-05 |
| Updated | 2016-12-07 |
| EPSS | 1.80% |
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
| Max Base Score | 5.0 |
| Published | 2015-10-29 |
| Updated | 2015-10-30 |
| EPSS | 0.26% |
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
| Max Base Score | 7.5 |
| Published | 2014-10-08 |
| Updated | 2014-10-09 |
| EPSS | 1.00% |
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
| Max Base Score | 9.8 |
| Published | 2021-06-21 |
| Updated | 2021-06-25 |
| EPSS | 0.22% |
9 vulnerabilities found