Vulnerabilities (CVE)

Filtered by vendor Joomla Subscribe
Total 918 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-21731 1 Joomla 1 Joomla\! 2024-08-16 N/A 6.1 MEDIUM
Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.
CVE-2024-21729 1 Joomla 1 Joomla\! 2024-08-16 N/A 6.1 MEDIUM
Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.
CVE-2024-21730 1 Joomla 1 Joomla\! 2024-08-16 N/A 5.4 MEDIUM
The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.
CVE-2023-23752 1 Joomla 1 Joomla\! 2024-08-14 N/A 5.3 MEDIUM
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
CVE-2006-4556 2 Joomla, Mambo 2 Jim Component, Jim Component 2024-08-07 7.5 HIGH N/A
** DISPUTED ** PHP remote file inclusion vulnerability in index.php in the JIM component for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: another researcher has stated that the product distribution does not include an index.php file. Also, this might be related to CVE-2006-4242.
CVE-2006-4378 1 Joomla 1 Rssxt Component 2024-08-07 7.5 HIGH N/A
** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in the Rssxt component for Joomla! (com_rssxt), possibly 2.0 Beta 1 or 1.0 and earlier, allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter in (1) pinger.php, (2) RPC.php, or (3) rssxt.php. NOTE: another researcher has disputed this issue, saying that the attacker can not control this parameter. In addition, as of 20060825, the original researcher has appeared to be unreliable with some other past reports. CVE has not performed any followup analysis with respect to this issue.
CVE-2006-4269 2 Joomla, Mambo 2 X-shop Component, X-shop Component 2024-08-07 7.5 HIGH N/A
** DISPUTED ** PHP remote file inclusion vulnerability in admin.x-shop.php in the x-shop component (com_x-shop) 1.7 and earlier for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: this issue has been disputed by third party researchers, stating that there is no mosConfig_absolute_path parameter and no admin.x-shop.php file in the reported package.
CVE-2007-5389 2 Joomla, Swmenupro 2 Joomla, Swmenufree 2024-08-07 6.8 MEDIUM N/A
** DISPUTED ** PHP remote file inclusion vulnerability in preview.php in the swMenuFree (com_swmenufree) 4.6 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: a reliable third party disputes this issue because preview.php tests a certain constant to prevent direct requests.
CVE-2007-2196 2 Joomla, Mambo 2 Jambook, Jambook 2024-08-07 6.8 MEDIUM N/A
** DISPUTED ** PHP remote file inclusion vulnerability in jambook.php in the Jambook (com_Jambook) 1.0 beta7 module for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: this issue has been disputed by a reliable third party because the jambook.php protects against direct request.
CVE-2009-0380 3 Joomla, Mambo-foundation, Sigsiu.net 3 Joomla, Mambo, Sobi2 2024-08-07 7.5 HIGH N/A
** DISPUTED ** SQL injection vulnerability in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the bid parameter in a showbiz action to index.php, a different vector than CVE-2008-0607. NOTE: CVE disputes this issue, since neither "showbiz" nor "bid" appears in the source code for SOBI2.
CVE-2010-0158 2 Joomla, Joomlabamboo 2 Joomla, Jb Simpla 2024-08-07 7.5 HIGH N/A
** DISPUTED ** SQL injection vulnerability in the JoomlaBamboo (JB) Simpla Admin template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to the com_content component, reachable through index.php. NOTE: the vendor disputes this report, saying: "JoomlaBamboo has investigated this report, and it is incorrect. There is no SQL injection vulnerability involving the id parameter in an article view, and there never was. JoomlaBamboo customers have no reason to be concerned about this report."
CVE-2024-26279 1 Joomla 1 Joomla\! 2024-07-19 N/A 6.1 MEDIUM
The wrapper extensions do not correctly validate inputs, leading to XSS vectors.
CVE-2024-26278 1 Joomla 1 Joomla\! 2024-07-19 N/A 6.1 MEDIUM
The Custom Fields component not correctly filter inputs, leading to a XSS vector.
CVE-2019-11358 11 Backdropcms, Debian, Drupal and 8 more 105 Backdrop, Debian Linux, Drupal and 102 more 2024-02-16 4.3 MEDIUM 6.1 MEDIUM
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2016-10033 3 Joomla, Phpmailer Project, Wordpress 3 Joomla\!, Phpmailer, Wordpress 2024-02-14 7.5 HIGH 9.8 CRITICAL
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
CVE-2009-4094 2 Designforjoomla, Joomla 2 Com Ezine, Joomla\! 2024-02-14 7.5 HIGH N/A
PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path parameter.
CVE-2010-4516 2 Joomla, Jxtended 2 Joomla\!, Jxtended Comments 2024-02-14 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the JXtended Comments component before 1.3.1 for Joomla allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-2909 2 Joomla, Toughtomato 2 Joomla\!, Com Ttvideo 2024-02-14 7.5 HIGH N/A
SQL injection vulnerability in ttvideo.php in the TTVideo (com_ttvideo) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a video action to index.php.
CVE-2010-0946 2 Joomla, Kiss-software 2 Joomla\!, Com Ksadvertiser 2024-02-14 7.5 HIGH N/A
SQL injection vulnerability in the Keep It Simple Stupid (KISS) Software Advertiser (com_ksadvertiser) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showcats action to index.php.
CVE-2006-1957 2 Joomla, Mambo-foundation 2 Joomla\!, Mambo 2024-02-14 5.0 MEDIUM N/A
The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter.