CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Joomla : Security Vulnerabilities (CVSS score between 5 and 8.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-26040 863 2021-08-24 2021-08-31
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.
2 CVE-2021-26037 613 2021-07-07 2021-07-09
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! 2.5.0 through 3.9.27. CMS functions did not properly termine existing user sessions when a user's password was changed or the user was blocked.
3 CVE-2021-26036 20 2021-07-07 2021-07-09
5.0
None Remote Low Not required None None Partial
An issue was discovered in Joomla! 2.5.0 through 3.9.27. Missing validation of input could lead to a broken usergroups table.
4 CVE-2021-26031 2021-04-14 2021-04-22
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
5 CVE-2021-26029 20 2021-03-04 2021-03-10
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! 1.6.0 through 3.9.24. Inadequate filtering of form contents could allow to overwrite the author field.
6 CVE-2021-26027 668 2021-03-04 2021-03-09
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article.
7 CVE-2021-23132 2021-03-04 2021-03-05
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
8 CVE-2021-23131 20 2021-03-04 2021-03-05
5.0
None Remote Low Not required None None Partial
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Missing input validation within the template manager.
9 CVE-2021-23128 2021-03-04 2021-03-05
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.
10 CVE-2021-23127 2021-03-04 2021-03-05
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
11 CVE-2021-23126 326 2021-03-04 2021-03-05
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
12 CVE-2021-23123 862 2021-01-12 2021-01-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.
13 CVE-2020-35616 20 2020-12-28 2020-12-30
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.
14 CVE-2020-35615 352 CSRF 2020-12-28 2020-12-30
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
15 CVE-2020-35614 200 +Info 2020-12-28 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page.
16 CVE-2020-35613 89 Sql 2020-12-28 2020-12-30
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
17 CVE-2020-35612 22 Dir. Trav. 2020-12-28 2020-12-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
18 CVE-2020-35611 200 +Info 2020-12-28 2020-12-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.
19 CVE-2020-35610 2020-12-28 2020-12-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.
20 CVE-2020-24598 601 2020-08-26 2020-08-28
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open redirect.
21 CVE-2020-15700 352 CSRF 2020-07-15 2020-07-15
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoint of com_installer causes a CSRF vulnerability.
22 CVE-2020-15699 345 2020-07-15 2020-07-15
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration.
23 CVE-2020-15698 200 +Info 2020-07-15 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! through 3.9.19. Inadequate filtering on the system information screen could expose Redis or proxy credentials
24 CVE-2020-15695 352 CSRF 2020-07-15 2020-07-15
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
25 CVE-2020-13763 281 2020-06-02 2020-10-19
5.0
None Remote Low Not required None Partial None
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users.
26 CVE-2020-13760 352 CSRF 2020-06-02 2020-10-19
6.8
None Remote Medium Not required Partial Partial Partial
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
27 CVE-2020-11891 863 2020-04-21 2021-07-21
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
28 CVE-2020-11890 20 2020-04-21 2020-04-29
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration.
29 CVE-2020-11889 863 2020-04-21 2021-07-21
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
30 CVE-2020-10243 89 Sql 2020-03-16 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Featured Articles frontend menutype.
31 CVE-2020-10241 352 CSRF 2020-03-16 2020-03-18
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.
32 CVE-2020-10240 20 2020-03-16 2020-03-19
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.
33 CVE-2020-10239 862 2020-03-16 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
34 CVE-2020-10238 668 2020-03-16 2020-03-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
35 CVE-2020-8420 352 CSRF 2020-01-28 2020-02-07
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
36 CVE-2020-8419 352 CSRF 2020-01-28 2020-02-06
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities.
37 CVE-2019-19846 89 Sql 2019-12-18 2019-12-18
7.5
None Remote Low Not required Partial Partial Partial
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
38 CVE-2019-19845 22 Dir. Trav. 2019-12-18 2019-12-19
5.0
None Remote Low Not required Partial None None
In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.
39 CVE-2019-18674 862 2019-11-06 2019-11-06
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure.
40 CVE-2019-18650 352 CSRF 2019-11-06 2019-11-06
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
41 CVE-2019-15028 2019-08-14 2020-08-24
5.0
None Remote Low Not required None Partial None
In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms.
42 CVE-2019-14654 Exec Code 2019-08-05 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option. In other words, the filter attribute in subform fields allows remote code execution. This is fixed in 3.9.9.
43 CVE-2019-12765 1236 2019-06-11 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
44 CVE-2019-11831 22 Dir. Trav. Bypass 2019-05-09 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
45 CVE-2019-10946 306 2019-04-10 2020-08-24
5.0
None Remote Low Not required None Partial None
An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
46 CVE-2019-10945 22 Dir. Trav. 2019-04-10 2019-04-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.
47 CVE-2019-9713 862 2019-03-12 2020-08-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access.
48 CVE-2019-7743 502 2019-02-12 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.
49 CVE-2018-17858 352 CSRF 2018-10-09 2018-11-26
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.
50 CVE-2018-17856 Exec Code 2018-10-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled the ability of Administrator-level users to access com_joomlaupdate and trigger code execution.
Total number of vulnerabilities : 318   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.