Joomla : Security Vulnerabilities (File inclusion)
An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion.
| Max Base Score | 8.8 |
| Published | 2018-06-26 |
| Updated | 2018-08-20 |
| EPSS | 0.21% |
PHP remote file inclusion vulnerability in the SEF404x (com_sef) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig.absolute.path parameter to index.php.
| Max Base Score | 7.5 |
| Published | 2010-07-12 |
| Updated | 2010-07-12 |
| EPSS | 1.42% |
PHP remote file inclusion vulnerability in index.php in Joomla! 1.0.11 through 1.0.14, when RG_EMULATION is enabled in configuration.php, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
| Max Base Score | 7.5 |
| Published | 2008-12-19 |
| Updated | 2018-10-11 |
| EPSS | 1.46% |
PHP remote file inclusion vulnerability in admin.rssreader.php in the Simple RSS Reader (com_rssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 10.0 |
| Published | 2008-11-13 |
| Updated | 2017-09-29 |
| EPSS | 22.86% |
PHP remote file inclusion vulnerability in facileforms.frame.php in the FacileForms (com_facileforms) component 1.4.4 for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the ff_compath parameter.
| Max Base Score | 7.5 |
| Published | 2008-07-02 |
| Updated | 2017-09-29 |
| EPSS | 2.12% |
Multiple PHP remote file inclusion vulnerabilities in Michael Dempfle Joomla Flash Uploader (com_jfu or com_joomla_flash_uploader) 2.5.1 component for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) install.joomla_flash_uploader.php and (2) uninstall.joomla_flash_uploader.php.
| Max Base Score | 6.8 |
| Published | 2007-10-14 |
| Updated | 2018-10-15 |
| EPSS | 6.12% |
PHP remote file inclusion vulnerability in admin.color.php in the com_colorlab (aka com_color) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 6.8 |
| Published | 2007-10-14 |
| Updated | 2017-09-29 |
| EPSS | 2.47% |
PHP remote file inclusion vulnerability in admin.wmtrssreader.php in the webmaster-tips.net Flash RSS Reader (com_wmtrssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 6.8 |
| Published | 2007-10-12 |
| Updated | 2018-10-15 |
| EPSS | 5.36% |
** DISPUTED ** PHP remote file inclusion vulnerability in preview.php in the swMenuFree (com_swmenufree) 4.6 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: a reliable third party disputes this issue because preview.php tests a certain constant to prevent direct requests.
| Max Base Score | 6.8 |
| Published | 2007-10-12 |
| Updated | 2018-10-15 |
| EPSS | 1.06% |
PHP remote file inclusion vulnerability in admin.panoramic.php in the Panoramic Picture Viewer (com_panoramic) mambot (plugin) 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
| Max Base Score | 6.8 |
| Published | 2007-10-11 |
| Updated | 2017-07-29 |
| EPSS | 1.98% |
Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite (com_mosmedia) 4.5.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) credits.html.php, (2) info.html.php, (3) media.divs.php, (4) media.divs.js.php, (5) purchase.html.php, or (6) support.html.php in includes/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: vector 3 may be the same as CVE-2007-2043.2.
| Max Base Score | 6.8 |
| Published | 2007-10-11 |
| Updated | 2017-07-29 |
| EPSS | 4.60% |
PHP remote file inclusion vulnerability in admin.wmtportfolio.php in the webmaster-tips.net wmtportfolio 1.0 (com_wmtportfolio) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
| Max Base Score | 6.8 |
| Published | 2007-10-09 |
| Updated | 2017-09-29 |
| EPSS | 2.48% |
PHP remote file inclusion vulnerability in admin.wmtgallery.php in the webmaster-tips.net Flash Image Gallery (com_wmtgallery) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 6.8 |
| Published | 2007-10-09 |
| Updated | 2017-09-29 |
| EPSS | 5.80% |
PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 7.5 |
| Published | 2007-09-24 |
| Updated | 2017-09-29 |
| EPSS | 2.90% |
PHP remote file inclusion vulnerability in admin.joomlaflashfun.php in the Flash Fun! (com_joomlaflashfun) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 6.8 |
| Published | 2007-09-18 |
| Updated | 2017-09-29 |
| EPSS | 1.98% |
PHP remote file inclusion vulnerability in admin.joom12pic.php in the joom12Pic (com_joom12pic) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 6.8 |
| Published | 2007-09-18 |
| Updated | 2017-09-29 |
| EPSS | 2.63% |
PHP remote file inclusion vulnerability in admin.joomlaradiov5.php in the Joomla Radio 5 (com_joomlaradiov5) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
| Max Base Score | 6.8 |
| Published | 2007-09-17 |
| Updated | 2017-09-29 |
| EPSS | 8.95% |
PHP remote file inclusion vulnerability in langset.php in J! Reactions (com_jreactions) 1.8.1 and earlier, a Joomla! component, allows remote attackers to execute arbitrary PHP code via a URL in the comPath parameter.
| Max Base Score | 7.5 |
| Published | 2007-08-08 |
| Updated | 2018-10-15 |
| EPSS | 8.97% |
PHP remote file inclusion vulnerability in admin.tour_toto.php in the Tour de France Pool (com_tour_toto) 1.0.1 module for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
| Max Base Score | 6.8 |
| Published | 2007-08-08 |
| Updated | 2018-10-15 |
| EPSS | 12.02% |
Multiple PHP remote file inclusion vulnerabilities in the OpenWiki (formerly JD-Wiki) component (com_jd-wiki) 1.0.2, and possibly earlier, for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) dwpage.php or (2) wantedpages.php, different vectors than CVE-2006-4074. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
| Max Base Score | 6.8 |
| Published | 2007-06-08 |
| Updated | 2008-11-15 |
| EPSS | 1.77% |
PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as used in multiple products including (1) Joomla! 1.5.0 Beta, (2) N/X Web Content Management System (WCMS) 4.5, (3) CJG EXPLORER PRO 3.3, and (4) phpSiteBackup 0.1, allows remote attackers to execute arbitrary PHP code via a URL in the g_pcltar_lib_dir parameter.
| Max Base Score | 6.8 |
| Published | 2007-04-24 |
| Updated | 2018-10-16 |
| EPSS | 66.00% |
** DISPUTED ** PHP remote file inclusion vulnerability in jambook.php in the Jambook (com_Jambook) 1.0 beta7 module for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: this issue has been disputed by a reliable third party because the jambook.php protects against direct request.
| Max Base Score | 6.8 |
| Published | 2007-04-24 |
| Updated | 2018-10-16 |
| EPSS | 1.77% |
Multiple PHP remote file inclusion vulnerabilities in the Taskhopper 1.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) contact_type.php, (2) itemstatus_type.php, (3) projectstatus_type.php, (4) request_type.php, (5) responses_type.php, (6) timelog_type.php, or (7) urgency_type.php in inc/.
| Max Base Score | 6.8 |
| Published | 2007-04-12 |
| Updated | 2017-10-11 |
| EPSS | 10.13% |
Multiple PHP remote file inclusion vulnerabilities in the SWmenu (com_swmenupro and com_swmenufree) 4.0 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to ImageManager/Classes/ImageManager.php under the (1) components/ or (2) administrator/components/ directory trees.
| Max Base Score | 10.0 |
| Published | 2007-03-27 |
| Updated | 2017-10-11 |
| EPSS | 13.51% |
Multiple PHP remote file inclusion vulnerabilities in the NFN Address Book (com_nfn_addressbook) 0.4 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) components/com_nfn_addressbook/nfnaddressbook.php or (2) administrator/components/com_nfn_addressbook/nfnaddressbook.php.
| Max Base Score | 9.3 |
| Published | 2007-03-22 |
| Updated | 2017-10-11 |
| EPSS | 10.35% |