All the vulnerabilites related to Joomla! Project - Joomla! CMS
cve-2024-21729
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2024-08-02 04:34
Severity ?
EPSS score ?
Summary
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.4.5 Version: 5.0.0-5.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T20:33:43.558188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T20:34:09.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/935-20240701-core-xss-in-accessible-media-selection-field.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Kadlubski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field."
}
],
"value": "Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T04:34:57.555Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/935-20240701-core-xss-in-accessible-media-selection-field.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240701] - Core - XSS in accessible media selection field",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21729",
"datePublished": "2024-07-09T16:15:51.461Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2024-08-02T04:34:57.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27911
Vulnerability from cvelistv5
Published
2022-08-31 10:00
Modified
2024-09-16 22:36
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.2.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:10.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0"
}
]
}
],
"datePublic": "2022-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027 caused by the PSR12 changes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "FPD",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:10.716Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html"
}
],
"title": "[20220801] - Core - Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-08-30T18:00:00",
"ID": "CVE-2022-27911",
"STATE": "PUBLIC",
"TITLE": "[20220801] - Core - Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.2.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing \u0027_JEXEC or die check\u0027 caused by the PSR12 changes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "FPD"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27911",
"datePublished": "2022-08-31T10:00:14.200946Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-09-16T22:36:40.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26029
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 04:20
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 1.6.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.6.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL Violation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:57.347Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html"
}
],
"title": "[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-26029",
"STATE": "PUBLIC",
"TITLE": "[20210309] - Core - Inadequate filtering of form contents could allow to overwrite the author field"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "1.6.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ACL Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/849-20210309-core-inadequate-filtering-of-form-contents-could-allow-to-overwrite-the-author-field.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26029",
"datePublished": "2021-03-04T17:37:15.215145Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T04:20:09.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23795
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 17:19
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.10.6 & 4.0.0-4.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:00.805Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html"
}
],
"title": "[20220303] - Core - User row are not bound to a authentication mechanism",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23795",
"STATE": "PUBLIC",
"TITLE": "[20220303] - Core - User row are not bound to a authentication mechanism"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/872-20220303-core-user-row-are-not-bound-to-a-authentication-mechanism.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23795",
"datePublished": "2022-03-30T15:20:26.042065Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T17:19:08.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27912
Vulnerability from cvelistv5
Published
2022-10-25 19:00
Modified
2024-09-16 22:31
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.2.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:10.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/885-20221001-core-disclosure-of-critical-information-in-debug-mode.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Peter Martin"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:44.795Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/885-20221001-core-disclosure-of-critical-information-in-debug-mode.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20221001] - Core - Debug Mode leaks full request payloads including passwords",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27912",
"datePublished": "2022-10-25T19:00:14.614946Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-09-16T22:31:14.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26028
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 20:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:07.514Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html"
}
],
"title": "[20210308] - Core - Path Traversal within joomla/archive zip class",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-26028",
"STATE": "PUBLIC",
"TITLE": "[20210308] - Core - Path Traversal within joomla/archive zip class"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Extracting an specifilcy crafted zip package could write files outside of the intended path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26028",
"datePublished": "2021-03-04T17:37:15.113567Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T20:46:55.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27184
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-11-26 04:34
Severity ?
EPSS score ?
Summary
Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.4.6-3.10.16 Version: 4.0.0-4.4.6 Version: 5.0.0-5.1.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T20:11:27.379332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T21:10:28.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.4.6-3.10.16"
},
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gareth Heyes (PortSwigger Research)"
},
{
"lang": "en",
"type": "finder",
"value": "Teodor Ivanov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not."
}
],
"value": "Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:34:52.366Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/941-20240801-core-inadequate-validation-of-internal-urls.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240801] - Core - Inadequate validation of internal URLs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27184",
"datePublished": "2024-08-20T16:03:51.605Z",
"dateReserved": "2024-02-21T04:29:37.775Z",
"dateUpdated": "2024-11-26T04:34:52.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26033
Vulnerability from cvelistv5
Published
2021-05-26 10:22
Modified
2024-09-16 19:41
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.26 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.26"
}
]
}
],
"datePublic": "2021-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:52.236Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html"
}
],
"title": "[20210502] - Core - CSRF in AJAX reordering endpoint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-05-25T16:00:00",
"ID": "CVE-2021-26033",
"STATE": "PUBLIC",
"TITLE": "[20210502] - Core - CSRF in AJAX reordering endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.26"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/853-20210502-core-csrf-in-ajax-reordering-endpoint.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26033",
"datePublished": "2021-05-26T10:22:34.147244Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T19:41:37.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26032
Vulnerability from cvelistv5
Published
2021-05-26 10:22
Modified
2024-09-17 04:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.26 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.26"
}
]
}
],
"datePublic": "2021-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:23.462Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html"
}
],
"title": "[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-05-25T16:00:00",
"ID": "CVE-2021-26032",
"STATE": "PUBLIC",
"TITLE": "[20210501] - Core - Adding HTML to the executable block list of MediaHelper::canUpload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.26"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. HTML was missing in the executable block list of MediaHelper::canUpload, leading to XSS attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/852-20210501-core-adding-html-to-the-executable-block-list-of-mediahelper-canupload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26032",
"datePublished": "2021-05-26T10:22:33.982379Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T04:24:33.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26036
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-16 20:11
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.27 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:57.898Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html"
}
],
"title": "[20210702] - Core - DoS through usergroup table manipulation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26036",
"STATE": "PUBLIC",
"TITLE": "[20210702] - Core - DoS through usergroup table manipulation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/857-20210702-core-dos-through-usergroup-table-manipulation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26036",
"datePublished": "2021-07-07T10:12:46.110023Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T20:11:38.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-40743
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-11-03 04:33
Severity ?
EPSS score ?
Summary
The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.10.16 Version: 4.0.0-4.4.6 Version: 5.0.0-5.1.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T16:13:51.725254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T14:19:58.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.16"
},
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The stripImages and stripIframes methods didn\u0027t properly process inputs, leading to XSS vectors."
}
],
"value": "The stripImages and stripIframes methods didn\u0027t properly process inputs, leading to XSS vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-03T04:33:21.199Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/946-20240805-core-xss-vectors-in-outputfilter-strip-methods.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240805] - Core - XSS vectors in Outputfilter::strip* methods",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40743",
"datePublished": "2024-08-20T16:03:45.461Z",
"dateReserved": "2024-07-09T16:16:21.863Z",
"dateUpdated": "2024-11-03T04:33:21.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23126
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 19:56
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.2.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Randomness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:07.439Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "[20210301] - Core - Insecure randomness within 2FA secret generation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23126",
"STATE": "PUBLIC",
"TITLE": "[20210301] - Core - Insecure randomness within 2FA secret generation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Randomness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23126",
"datePublished": "2021-03-04T17:37:14.262006Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T19:56:11.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23751
Vulnerability from cvelistv5
Published
2023-02-01 21:12
Modified
2024-08-04 08:41
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.2.6 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:26.894Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/891-20230102-core-missing-acl-checks-for-com-actionlogs.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Faizan Wani"
}
],
"datePublic": "2023-01-31T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing ACL check allows non super-admin users to access com_actionlogs.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:53.095Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/891-20230102-core-missing-acl-checks-for-com-actionlogs.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230102] - Core - Missing ACL checks for com_actionlogs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23751",
"datePublished": "2023-02-01T21:12:42.378Z",
"dateReserved": "2023-01-17T19:02:50.302Z",
"dateUpdated": "2024-08-04T08:41:53.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21724
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-08-02 04:33
Severity ?
EPSS score ?
Summary
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 1.6.0-3.10.14 Version: 4.0.0-4.4.2 Version: 5.0.0-5.0.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T14:47:55.865463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:37:38.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/927-20240203-core-xss-in-media-selection-fields.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.6.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominik Ziegelm\u00fcller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions."
}
],
"value": "Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:59.883Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/927-20240203-core-xss-in-media-selection-fields.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240203] - Core - XSS in media selection fields",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21724",
"datePublished": "2024-02-20T16:22:56.838Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-08-02T04:33:59.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26034
Vulnerability from cvelistv5
Published
2021-05-26 10:22
Modified
2024-09-17 01:35
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.26 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.26"
}
]
}
],
"datePublic": "2021-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:02.199Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html"
}
],
"title": "[20210503] - Core - CSRF in data download endpoints",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-05-25T16:00:00",
"ID": "CVE-2021-26034",
"STATE": "PUBLIC",
"TITLE": "[20210503] - Core - CSRF in data download endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.26"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/854-20210503-core-csrf-in-data-download-endpoints.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26034",
"datePublished": "2021-05-26T10:22:34.269999Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T01:35:34.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23124
Vulnerability from cvelistv5
Published
2021-01-12 20:19
Modified
2024-09-16 16:23
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.9.0-3.9.23 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.9.0-3.9.23"
}
]
}
],
"datePublic": "2021-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:05.202Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html"
}
],
"title": "[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-01-12T16:00:00",
"ID": "CVE-2021-23124",
"STATE": "PUBLIC",
"TITLE": "[20210102] - Core - XSS in mod_breadcrumbs aria-label attribute"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.9.0-3.9.23"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of escaping in mod_breadcrumbs aria-label attribute allows XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/837-20210102-core-xss-in-mod-breadcrumbs-aria-label-attribute.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23124",
"datePublished": "2021-01-12T20:19:49.480301Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T16:23:39.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35613
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 20:38
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:48.769Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html"
}
],
"title": "[20201104] - Core - SQL injection in com_users list view",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35613",
"STATE": "PUBLIC",
"TITLE": "[20201104] - Core - SQL injection in com_users list view"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/831-20201104-core-sql-injection-in-com-users-list-view.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35613",
"datePublished": "2020-12-28T19:39:18.351403Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T20:38:00.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21723
Vulnerability from cvelistv5
Published
2024-02-20 16:23
Modified
2024-12-04 16:09
Severity ?
EPSS score ?
Summary
Inadequate parsing of URLs could result into an open redirect.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 1.5.0-3.10.14 Version: 4.0.0-4.4.2 Version: 5.0.0-5.0.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-01T18:39:52.520855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T15:15:31.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/926-20240202-core-open-redirect-in-installation-application.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.5.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xishir"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate parsing of URLs could result into an open redirect."
}
],
"value": "Inadequate parsing of URLs could result into an open redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:09:52.726Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/926-20240202-core-open-redirect-in-installation-application.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240202] - Core - Open redirect in installation application",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21723",
"datePublished": "2024-02-20T16:23:25.802Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-12-04T16:09:52.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21722
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-11-03 04:33
Severity ?
EPSS score ?
Summary
The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.2.0-3.10.14 Version: 4.0.0-4.4.2 Version: 5.0.0-5.0.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T16:22:54.460242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T17:26:08.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Carsten Schmitz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The MFA management features did not properly terminate existing user sessions when a user\u0027s MFA methods have been modified."
}
],
"value": "The MFA management features did not properly terminate existing user sessions when a user\u0027s MFA methods have been modified."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-03T04:33:10.830Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240201] - Core - Insufficient session expiration in MFA management views",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21722",
"datePublished": "2024-02-20T16:22:50.937Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-11-03T04:33:10.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23128
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 01:46
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.2.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to \u0027random_bytes()\u0027 and its backport that is shipped within random_compat."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Randomness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:19.495Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"
}
],
"title": "[20210302] - Core - Potential Insecure FOFEncryptRandval",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23128",
"STATE": "PUBLIC",
"TITLE": "[20210302] - Core - Potential Insecure FOFEncryptRandval"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to \u0027random_bytes()\u0027 and its backport that is shipped within random_compat."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Randomness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23128",
"datePublished": "2021-03-04T17:37:14.499073Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T01:46:00.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26035
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-16 17:43
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.27 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:15.577Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html"
}
],
"title": "[20210701] - Core - XSS in JForm Rules field",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26035",
"STATE": "PUBLIC",
"TITLE": "[20210701] - Core - XSS in JForm Rules field"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the rules field of the JForm API leads to a XSS vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/856-20210701-core-xss-in-jform-rules-field.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26035",
"datePublished": "2021-07-07T10:12:45.054468Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T17:43:25.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26027
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 00:56
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL violation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:04.824Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
],
"title": "[20210307] - Core - ACL violation within com_content frontend editing",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-26027",
"STATE": "PUBLIC",
"TITLE": "[20210307] - Core - ACL violation within com_content frontend editing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ACL violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/847-20210307-core-acl-violation-within-com-content-frontend-editing.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26027",
"datePublished": "2021-03-04T17:37:15.005802Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T00:56:00.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21730
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2024-08-02 04:33
Severity ?
EPSS score ?
Summary
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.4.5 Version: 5.0.0-5.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T19:15:56.740504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T19:16:09.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/936-20240702-core-self-xss-in-fancyselect-list-field-layout.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector."
}
],
"value": "The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:43.196Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/936-20240702-core-self-xss-in-fancyselect-list-field-layout.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240702] - Core - Self-XSS in fancyselect list field layout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21730",
"datePublished": "2024-07-09T16:15:49.888Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2024-08-02T04:33:43.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35611
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 20:02
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:55.963Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html"
}
],
"title": "[20201102] - Core - Disclosure of secrets in Global Configuration page",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35611",
"STATE": "PUBLIC",
"TITLE": "[20201102] - Core - Disclosure of secrets in Global Configuration page"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/829-20201102-core-disclosure-of-secrets-in-global-configuration-page.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35611",
"datePublished": "2020-12-28T19:39:18.132811Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T20:02:48.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23797
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 17:28
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.10.6 & 4.0.0-4.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:33.127Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html"
}
],
"title": "[20220305] - Core - Inadequate filtering on the selected Ids",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23797",
"STATE": "PUBLIC",
"TITLE": "[20220305] - Core - Inadequate filtering on the selected Ids"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/874-20220305-core-inadequate-filtering-on-the-selected-ids.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23797",
"datePublished": "2022-03-30T15:20:29.271982Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T17:28:28.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23132
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 03:53
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:08.799Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html"
}
],
"title": "[20210306] - Core - com_media allowed paths that are not intended for image uploads",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23132",
"STATE": "PUBLIC",
"TITLE": "[20210306] - Core - com_media allowed paths that are not intended for image uploads"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/846-20210306-core-com-media-allowed-paths-that-are-not-intended-for-image-uploads.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23132",
"datePublished": "2021-03-04T17:37:14.907908Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T03:53:00.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26038
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-17 03:38
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.27 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:13.249Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html"
}
],
"title": "[20210704] - Core - Privilege escalation through com_installer",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26038",
"STATE": "PUBLIC",
"TITLE": "[20210704] - Core - Privilege escalation through com_installer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. Install action in com_installer lack the required hardcoded ACL checks for superusers. A default system is not affected cause the default ACL for com_installer is limited to super users already."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/859-20210704-core-privilege-escalation-through-com-installer.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26038",
"datePublished": "2021-07-07T10:12:47.940008Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T03:38:06.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26278
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2024-08-02 04:33
Severity ?
EPSS score ?
Summary
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.7.0-3.10.15 Version: 4.0.0-4.4.5 Version: 5.0.0-5.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T16:34:58.108570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T16:35:10.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/939-20240705-core-xss-in-com-fields-default-field-value.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.15"
},
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Custom Fields component not correctly filter inputs, leading to a XSS vector."
}
],
"value": "The Custom Fields component not correctly filter inputs, leading to a XSS vector."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:52.095Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/939-20240705-core-xss-in-com-fields-default-field-value.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240705] - Core - XSS in com_fields default field value",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-26278",
"datePublished": "2024-07-09T16:15:44.821Z",
"dateReserved": "2024-02-15T12:00:47.368Z",
"dateUpdated": "2024-08-02T04:33:52.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26279
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2024-08-02 04:34
Severity ?
EPSS score ?
Summary
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/938-20240704-core-xss-in-wrapper-extensions.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.7.0-3.10.15 Version: 4.0.0-4.4.5 Version: 5.0.0-5.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T17:48:49.944961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T17:48:59.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:18.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/938-20240704-core-xss-in-wrapper-extensions.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.15"
},
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The wrapper extensions do not correctly validate inputs, leading to XSS vectors."
}
],
"value": "The wrapper extensions do not correctly validate inputs, leading to XSS vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T04:34:07.431Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/938-20240704-core-xss-in-wrapper-extensions.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240704] - Core - XSS in Wrapper extensions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-26279",
"datePublished": "2024-07-09T16:15:48.485Z",
"dateReserved": "2024-02-15T12:00:47.368Z",
"dateUpdated": "2024-08-02T04:34:07.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27185
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-09-22 04:34
Severity ?
EPSS score ?
Summary
The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.10.16 Version: 4.0.0-4.4.6 Version: 5.0.0-5.1.2 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joomial_project:joomial_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joomial_cms",
"vendor": "joomial_project",
"versions": [
{
"lessThanOrEqual": "3.10.16",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T19:18:32.640070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T19:24:23.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.16"
},
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shane Edwards"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors."
}
],
"value": "The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors."
}
],
"impacts": [
{
"capecId": "CAPEC-141",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-141 Cache Poisoning"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-22T04:34:29.775Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/942-20240802-core-cache-poisoning-in-pagination.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240802] - Core - Cache Poisoning in Pagination",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27185",
"datePublished": "2024-08-20T16:03:58.015Z",
"dateReserved": "2024-02-21T04:29:37.776Z",
"dateUpdated": "2024-09-22T04:34:29.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35616
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 18:55
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 1.7.0 - 3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.7.0 - 3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL Violation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:34:07.578Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html"
}
],
"title": "[20201107] - Core - Write ACL violation in multiple core views",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35616",
"STATE": "PUBLIC",
"TITLE": "[20201107] - Core - Write ACL violation in multiple core views"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "1.7.0 - 3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "ACL Violation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/834-20201107-core-write-acl-violation-in-multiple-core-views.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35616",
"datePublished": "2020-12-28T19:39:18.657708Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T18:55:49.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23752
Vulnerability from cvelistv5
Published
2023-02-16 16:25
Modified
2024-08-04 08:42
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.2.7 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joomla\\!",
"vendor": "joomla",
"versions": [
{
"lessThanOrEqual": "4.2.7",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23752",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T20:52:45.656035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-01-08",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-23752"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T20:56:47.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zewei Zhang from NSFOCUS TIANJI Lab"
}
],
"datePublic": "2023-02-16T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "ACL",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:59.915Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230201] - Core - Improper access check in webservice endpoints",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23752",
"datePublished": "2023-02-16T16:25:21.003Z",
"dateReserved": "2023-01-17T19:02:50.302Z",
"dateUpdated": "2024-08-04T08:42:59.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23125
Vulnerability from cvelistv5
Published
2021-01-12 20:19
Modified
2024-09-16 17:27
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.1.0-3.9.23 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.1.0-3.9.23"
}
]
}
],
"datePublic": "2021-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:14.555Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html"
}
],
"title": "[20210103] - Core - XSS in com_tags image parameters",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-01-12T16:00:00",
"ID": "CVE-2021-23125",
"STATE": "PUBLIC",
"TITLE": "[20210103] - Core - XSS in com_tags image parameters"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.1.0-3.9.23"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/838-20210103-core-xss-in-com-tags-image-parameters.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23125",
"datePublished": "2021-01-12T20:19:49.583211Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T17:27:49.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23123
Vulnerability from cvelistv5
Published
2021-01-12 20:19
Modified
2024-09-16 17:19
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.23 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.23"
}
]
}
],
"datePublic": "2021-01-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:24.442Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
],
"title": "[20210101] - Core - com_modules exposes module names",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-01-12T16:00:00",
"ID": "CVE-2021-23123",
"STATE": "PUBLIC",
"TITLE": "[20210101] - Core - com_modules exposes module names"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.23"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23123",
"datePublished": "2021-01-12T20:19:49.325740Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T17:19:11.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35610
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-17 01:51
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:50.073Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html"
}
],
"title": "[20201101] - Core - com_finder ignores access levels on autosuggest",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35610",
"STATE": "PUBLIC",
"TITLE": "[20201101] - Core - com_finder ignores access levels on autosuggest"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/828-20201101-core-com-finder-ignores-access-levels-on-autosuggest.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35610",
"datePublished": "2020-12-28T19:39:18.000331Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-17T01:51:48.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23754
Vulnerability from cvelistv5
Published
2023-05-30 16:12
Modified
2024-08-04 08:42
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.2.0-4.3.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/899-20230501-core-open-redirects-and-xss-within-the-mfa-selection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-4.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Srpopty from huntr.dev"
}
],
"datePublic": "2023-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:38.179Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/899-20230501-core-open-redirects-and-xss-within-the-mfa-selection.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230501] - Core - Open Redirect and XSS within the mfa select",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23754",
"datePublished": "2023-05-30T16:12:44.475Z",
"dateReserved": "2023-01-17T19:48:53.503Z",
"dateUpdated": "2024-08-04T08:42:38.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23798
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 22:19
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.10.6 & 4.0.0-4.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:20.836Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html"
}
],
"title": "[20220306] - Core - Inadequate validation of internal URLs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23798",
"STATE": "PUBLIC",
"TITLE": "[20220306] - Core - Inadequate validation of internal URLs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/875-20220306-core-inadequate-validation-of-internal-urls.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23798",
"datePublished": "2022-03-30T15:20:30.757090Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T22:19:54.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23800
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 19:35
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.1.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.1.0"
}
]
},
{
"product": "joomla/filter",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.4.3 \u0026 2.0.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:03.881Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html"
}
],
"title": "[20220308] - Core - Inadequate content filtering within the filter code",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23800",
"STATE": "PUBLIC",
"TITLE": "[20220308] - Core - Inadequate content filtering within the filter code"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/filter",
"version": {
"version_data": [
{
"version_value": "1.0.0-1.4.3 \u0026 2.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23800",
"datePublished": "2022-03-30T15:20:33.653594Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T19:35:06.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27913
Vulnerability from cvelistv5
Published
2022-10-25 19:00
Modified
2024-09-16 17:15
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.2.0-4.2.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/886-20221002-core-reflected-xss-in-various-components.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-4.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ajith Menon"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected Cross-Site Scripting (XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:02.488Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/886-20221002-core-reflected-xss-in-various-components.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20221002] - Core - RXSS through reflection of user input in headings",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27913",
"datePublished": "2022-10-25T19:00:15.710464Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-09-16T17:15:02.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23129
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 22:20
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:47.368Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html"
}
],
"title": "[20210303] - Core - XSS within alert messages showed to users",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23129",
"STATE": "PUBLIC",
"TITLE": "[20210303] - Core - XSS within alert messages showed to users"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of messages showed to users that could lead to xss issues."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/843-20210303-core-xss-within-alert-messages-showed-to-users.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23129",
"datePublished": "2021-03-04T17:37:14.594061Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T22:20:48.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26039
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-16 16:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.27 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:25.768Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html"
}
],
"title": "[20210705] - Core - XSS in com_media imagelist",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26039",
"STATE": "PUBLIC",
"TITLE": "[20210705] - Core - XSS in com_media imagelist"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate escaping in the imagelist view of com_media leads to a XSS vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/860-20210705-core-xss-in-com-media-imagelist.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26039",
"datePublished": "2021-07-07T10:12:48.839634Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T16:24:06.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23130
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 02:21
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:49.568Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html"
}
],
"title": "[20210304] - Core - XSS within the feed parser library",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23130",
"STATE": "PUBLIC",
"TITLE": "[20210304] - Core - XSS within the feed parser library"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.24. Missing filtering of feed fields could lead to xss issues."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/844-20210304-core-xss-within-the-feed-parser-library.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23130",
"datePublished": "2021-03-04T17:37:14.702009Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T02:21:25.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23127
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-16 23:32
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.2.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Randomness",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:43.519Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"title": "[20210301] - Core - Insecure randomness within 2FA secret generation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23127",
"STATE": "PUBLIC",
"TITLE": "[20210301] - Core - Insecure randomness within 2FA secret generation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Randomness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23127",
"datePublished": "2021-03-04T17:37:14.392198Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T23:32:03.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21731
Vulnerability from cvelistv5
Published
2024-07-09 16:15
Modified
2024-08-02 04:33
Severity ?
EPSS score ?
Summary
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.10.15 Version: 4.0.0-4.4.5 Version: 5.0.0-5.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T17:46:33.174612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T17:46:40.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/937-20240703-core-xss-in-stringhelper-truncate-method.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.15"
},
{
"status": "affected",
"version": "4.0.0-4.4.5"
},
{
"status": "affected",
"version": "5.0.0-5.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesper den Boer"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper handling of input could lead to an XSS vector in the StringHelper::truncate method."
}
],
"value": "Improper handling of input could lead to an XSS vector in the StringHelper::truncate method."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:41.988Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/937-20240703-core-xss-in-stringhelper-truncate-method.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240703] - Core - XSS in StringHelper::truncate method",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21731",
"datePublished": "2024-07-09T16:15:43.351Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2024-08-02T04:33:41.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27914
Vulnerability from cvelistv5
Published
2022-11-08 18:50
Modified
2024-11-26 04:35
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.2.4 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/887-20221101-core-rxss-through-reflection-of-user-input-in-com-media.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T21:06:47.503605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T21:09:16.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Denitz"
}
],
"datePublic": "2022-11-07T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected Cross-Site Scripting (XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:35:20.023Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/887-20221101-core-rxss-through-reflection-of-user-input-in-com-media.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20221101] - Core - RXSS through reflection of user input in com_media",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-27914",
"datePublished": "2022-11-08T18:50:10.534726Z",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-11-26T04:35:20.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27186
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-11-26 04:35
Severity ?
EPSS score ?
Summary
The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/944-20240803-core-xss-in-html-mail-templates.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.4.6 Version: 5.0.0-5.1.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T17:38:52.591486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:35:57.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elysee Franchuk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions."
}
],
"value": "The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:35:13.782Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/944-20240803-core-xss-in-html-mail-templates.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240803] - Core - XSS in HTML Mail Templates",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27186",
"datePublished": "2024-08-20T16:03:56.863Z",
"dateReserved": "2024-02-21T04:29:37.776Z",
"dateUpdated": "2024-11-26T04:35:13.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-40626
Vulnerability from cvelistv5
Published
2023-11-29 12:28
Modified
2024-12-04 16:10
Severity ?
EPSS score ?
Summary
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 1.6.0-4.4.0 Version: 5.0.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/919-20231101-core-exposure-of-environment-variables.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T19:23:38.617845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:24:03.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.6.0-4.4.0"
},
{
"status": "affected",
"version": "5.0.0"
}
]
}
],
"datePublic": "2023-11-21T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.\u003c/p\u003e"
}
],
"value": "The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:10:05.927Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/919-20231101-core-exposure-of-environment-variables.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20231101] - Core - Exposure of environment variables",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-40626",
"datePublished": "2023-11-29T12:28:47.787Z",
"dateReserved": "2023-08-17T19:37:15.600Z",
"dateUpdated": "2024-12-04T16:10:05.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26037
Vulnerability from cvelistv5
Published
2021-07-07 10:12
Modified
2024-09-17 04:09
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.27 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.27"
}
]
}
],
"datePublic": "2021-07-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user\u0027s password was changed or the user was blocked."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:38.766Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html"
}
],
"title": "[20210703] - Core - Lack of enforced session termination",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-07-06T16:00:00",
"ID": "CVE-2021-26037",
"STATE": "PUBLIC",
"TITLE": "[20210703] - Core - Lack of enforced session termination"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.27"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user\u0027s password was changed or the user was blocked."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/858-20210703-core-lack-of-enforced-session-termination.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26037",
"datePublished": "2021-07-07T10:12:47.003101Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T04:09:16.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23750
Vulnerability from cvelistv5
Published
2023-02-01 21:12
Modified
2024-08-04 08:42
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.2.6 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/890-20230101-core-csrf-within-post-installation-messages.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Faizan Wani"
}
],
"datePublic": "2023-01-31T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:11.976Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/890-20230101-core-csrf-within-post-installation-messages.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230101] - Core - CSRF within post-installation messages",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23750",
"datePublished": "2023-02-01T21:12:36.067Z",
"dateReserved": "2023-01-17T19:02:50.302Z",
"dateUpdated": "2024-08-04T08:42:11.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23796
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-17 02:27
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.7.0-3.10.6 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.6"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:55.663Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html"
}
],
"title": "[20220304] - Core - Missing input validation within com_fields class inputs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23796",
"STATE": "PUBLIC",
"TITLE": "[20220304] - Core - Missing input validation within com_fields class inputs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.7.0-3.10.6"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/873-20220304-core-missing-input-validation-within-com-fields-class-inputs.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23796",
"datePublished": "2022-03-30T15:20:27.595867Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-17T02:27:29.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35612
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 23:10
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:33:52.940Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html"
}
],
"title": "[20201103] - Core - Path traversal in mod_random_image",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35612",
"STATE": "PUBLIC",
"TITLE": "[20201103] - Core - Path traversal in mod_random_image"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/830-20201103-core-path-traversal-in-mod-random-image.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35612",
"datePublished": "2020-12-28T19:39:18.241087Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T23:10:23.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23799
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 16:37
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.1.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.1.0"
}
]
},
{
"product": "joomla/input",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.0.0-2.0.1"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Variable Tampering",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:54.784Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html"
}
],
"title": "[20220307] - Core - Variable Tampering on JInput $_REQUEST data",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23799",
"STATE": "PUBLIC",
"TITLE": "[20220307] - Core - Variable Tampering on JInput $_REQUEST data"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/input",
"version": {
"version_data": [
{
"version_value": "2.0.0-2.0.1"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Variable Tampering"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/876-20220307-core-variable-tampering-on-jinput-request-data.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23799",
"datePublished": "2022-03-30T15:20:32.231485Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T16:37:47.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23794
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-17 02:41
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.10.6 & 4.0.0-4.1.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.080Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
},
{
"product": "joomla/filesystem",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.6.1 \u0026 2.0.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:29.418Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html"
}
],
"title": "[20220302] - Core - Path Disclosure within filesystem error messages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23794",
"STATE": "PUBLIC",
"TITLE": "[20220302] - Core - Path Disclosure within filesystem error messages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/filesystem",
"version": {
"version_data": [
{
"version_value": "1.0.0-1.6.1 \u0026 2.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/871-20220302-core-path-disclosure-within-filesystem-error-messages.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23794",
"datePublished": "2022-03-30T15:20:24.272061Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-17T02:41:10.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26040
Vulnerability from cvelistv5
Published
2021-08-24 14:20
Modified
2024-09-17 03:13
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0"
}
]
}
],
"datePublic": "2021-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user\u0027s permissions before executing a file deletion command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:19.507Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint"
}
],
"title": "[20210801] - Core - Insufficient access control for com_media deletion endpoint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-08-24T16:00:00",
"ID": "CVE-2021-26040",
"STATE": "PUBLIC",
"TITLE": "[20210801] - Core - Insufficient access control for com_media deletion endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user\u0027s permissions before executing a file deletion command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26040",
"datePublished": "2021-08-24T14:20:13.190253Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T03:13:32.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21726
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-12-25 04:35
Severity ?
EPSS score ?
Summary
Inadequate content filtering leads to XSS vulnerabilities in various components.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.7.0-3.10.14 Version: 4.0.0-4.4.2 Version: 5.0.0-5.0.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T20:46:25.073985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T20:25:00.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.7.0-3.10.14"
},
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stefan Schiller (Sonar)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate content filtering leads to XSS vulnerabilities in various components."
}
],
"value": "Inadequate content filtering leads to XSS vulnerabilities in various components."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T04:35:19.649Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html"
},
{
"tags": [
"technical-description"
],
"url": "https://www.sonarsource.com/blog/joomla-multiple-xss-vulnerabilities/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240205] - Core - Inadequate content filtering within the filter code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21726",
"datePublished": "2024-02-20T16:22:36.946Z",
"dateReserved": "2024-01-01T04:30:58.881Z",
"dateUpdated": "2024-12-25T04:35:19.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21725
Vulnerability from cvelistv5
Published
2024-02-20 16:22
Modified
2024-10-28 04:34
Severity ?
EPSS score ?
Summary
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.4.2 Version: 5.0.0-5.0.2 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T17:44:47.368140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-27T02:09:02.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.2"
},
{
"status": "affected",
"version": "5.0.0-5.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gareth Heyes (PortSwigger Research)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components."
}
],
"value": "Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T04:34:16.221Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240204] - Core - XSS in mail address outputs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-21725",
"datePublished": "2024-02-20T16:22:57.554Z",
"dateReserved": "2024-01-01T04:30:58.880Z",
"dateUpdated": "2024-10-28T04:34:16.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23801
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 19:35
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.1.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:27.052Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html"
}
],
"title": "[20220309] - Core - XSS attack vector through SVG",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23801",
"STATE": "PUBLIC",
"TITLE": "[20220309] - Core - XSS attack vector through SVG"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "4.0.0-4.1.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/878-20220309-core-xss-attack-vector-through-svg.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23801",
"datePublished": "2022-03-30T15:20:35.023851Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T19:35:51.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26030
Vulnerability from cvelistv5
Published
2021-04-14 17:34
Modified
2024-09-16 20:12
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.25 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.25"
}
]
}
],
"datePublic": "2021-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:15.935Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html"
}
],
"title": "[20210401] - Core - Escape xss in logo parameter error pages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-04-13T16:00:00",
"ID": "CVE-2021-26030",
"STATE": "PUBLIC",
"TITLE": "[20210401] - Core - Escape xss in logo parameter error pages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.25"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26030",
"datePublished": "2021-04-14T17:34:57.954589Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-16T20:12:29.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35615
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 23:21
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 2.5.0-3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "2.5.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:33:12.294Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html"
}
],
"title": "[20201106] - Core - CSRF in com_privacy emailexport feature",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35615",
"STATE": "PUBLIC",
"TITLE": "[20201106] - Core - CSRF in com_privacy emailexport feature"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "2.5.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/833-20201106-core-csrf-in-com-privacy-emailexport-feature.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35615",
"datePublished": "2020-12-28T19:39:18.556142Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T23:21:35.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27187
Vulnerability from cvelistv5
Published
2024-08-20 16:03
Modified
2024-08-22 04:32
Severity ?
EPSS score ?
Summary
Improper Access Controls allows backend users to overwrite their username when disallowed.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.0.0-4.4.6 Version: 5.0.0-5.1.2 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "joomla\\!",
"vendor": "joomla",
"versions": [
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T19:24:02.130454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T19:26:50.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.4.6"
},
{
"status": "affected",
"version": "5.0.0-5.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elysee Franchuk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Controls allows backend users to overwrite their username when disallowed."
}
],
"value": "Improper Access Controls allows backend users to overwrite their username when disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T04:32:02.125Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/945-20240804-core-improper-acl-for-backend-profile-view.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20240804] - Core - Improper ACL for backend profile view",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-27187",
"datePublished": "2024-08-20T16:03:43.540Z",
"dateReserved": "2024-02-21T04:29:37.776Z",
"dateUpdated": "2024-08-22T04:32:02.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35614
Vulnerability from cvelistv5
Published
2020-12-28 19:39
Modified
2024-09-16 22:35
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.9.0-3.9.22 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:14.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.9.0-3.9.22"
}
]
}
],
"datePublic": "2020-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T04:32:43.791Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html"
}
],
"title": "[20201105] - Core - User Enumeration in backend login",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2020-11-24T16:00:00",
"ID": "CVE-2020-35614",
"STATE": "PUBLIC",
"TITLE": "[20201105] - Core - User Enumeration in backend login"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.9.0-3.9.22"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2020-35614",
"datePublished": "2020-12-28T19:39:18.455789Z",
"dateReserved": "2020-12-21T00:00:00",
"dateUpdated": "2024-09-16T22:35:21.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23793
Vulnerability from cvelistv5
Published
2022-03-30 15:20
Modified
2024-09-16 20:59
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html | x_refsource_MISC, vendor-advisory | |
| http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.10.6 & 4.0.0-4.1.0 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
},
{
"product": "joomla/archive",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "1.0.0-1.1.11 \u0026 2.0.0"
}
]
}
],
"datePublic": "2022-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:35.863Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html"
}
],
"title": "[20220301] - Core - Zip Slip within the Tar extractor",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2022-03-29T18:00:00",
"ID": "CVE-2022-23793",
"STATE": "PUBLIC",
"TITLE": "[20220301] - Core - Zip Slip within the Tar extractor"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.10.6 \u0026 4.0.0-4.1.0"
}
]
}
},
{
"product_name": "joomla/archive",
"version": {
"version_data": [
{
"version_value": "1.0.0-1.1.11 \u0026 2.0.0"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.10.6 \u0026 4.0.0 through 4.1.0. Extracting an specifilcy crafted tar package could write files outside of the intended path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html"
},
{
"name": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2022-23793",
"datePublished": "2022-03-30T15:20:22.462121Z",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-09-16T20:59:09.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26031
Vulnerability from cvelistv5
Published
2021-04-14 17:35
Modified
2024-09-17 01:01
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.0.0-3.9.25 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.25"
}
]
}
],
"datePublic": "2021-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "LFI",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:41:51.801Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html"
}
],
"title": "[20210402] - Core - Inadequate filters on module layout settings",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-04-13T16:00:00",
"ID": "CVE-2021-26031",
"STATE": "PUBLIC",
"TITLE": "[20210402] - Core - Inadequate filters on module layout settings"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.25"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "LFI"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-26031",
"datePublished": "2021-04-14T17:35:34.974375Z",
"dateReserved": "2021-01-25T00:00:00",
"dateUpdated": "2024-09-17T01:01:47.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23131
Vulnerability from cvelistv5
Published
2021-03-04 17:37
Modified
2024-09-17 00:51
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager.
References
| ▼ | URL | Tags |
|---|---|---|
| https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html | x_refsource_MISC, vendor-advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 3.2.0-3.9.24 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "3.2.0-3.9.24"
}
]
}
],
"datePublic": "2021-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:43:29.330Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html"
}
],
"title": "[20210305] - Core - Input validation within the template manager",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@joomla.org",
"DATE_PUBLIC": "2021-03-02T16:00:00",
"ID": "CVE-2021-23131",
"STATE": "PUBLIC",
"TITLE": "[20210305] - Core - Input validation within the template manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Joomla! CMS",
"version": {
"version_data": [
{
"version_value": "3.2.0-3.9.24"
}
]
}
}
]
},
"vendor_name": "Joomla! Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html",
"refsource": "MISC",
"url": "https://developer.joomla.org/security-centre/845-20210305-core-input-validation-within-the-template-manager.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2021-23131",
"datePublished": "2021-03-04T17:37:14.799964Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T00:51:57.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23755
Vulnerability from cvelistv5
Published
2023-05-30 16:12
Modified
2024-08-04 08:42
Severity ?
EPSS score ?
Summary
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Joomla! Project | Joomla! CMS |
Version: 4.2.0-4.3.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:25.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://developer.joomla.org/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Joomla! CMS",
"vendor": "Joomla! Project",
"versions": [
{
"status": "affected",
"version": "4.2.0-4.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phil Taylor"
}
],
"datePublic": "2023-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.\u003c/p\u003e"
}
],
"value": "An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Lack of rate limiting",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T08:42:41.848Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://developer.joomla.org/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[20230502] - Core - Bruteforce prevention within the mfa screen",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-23755",
"datePublished": "2023-05-30T16:12:32.399Z",
"dateReserved": "2023-01-17T19:48:53.503Z",
"dateUpdated": "2024-08-04T08:42:41.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}