cbcvebase.

Joomla ! vulnerabilities

296 known vulnerabilities affecting joomla/joomla_!.

Total CVEs
296
CISA KEV
2
actively exploited
Public exploits
23
Exploited in wild
8
Severity breakdown
CRITICAL38HIGH74MEDIUM182LOW2

Vulnerabilities

Page 1 of 15
CVE-2016-10033P1CRITICALCVSS 9.8KEVPoC≥ 1.5.0, ≤ 3.6.52016-12-30
CVE-2016-10033 [CRITICAL] CWE-88 CVE-2016-10033: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attacker The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
nvd
CVE-2023-23752P1MEDIUMCVSS 5.3KEVPoC≥ 4.0.0, < 4.2.82023-02-16
CVE-2023-23752 [MEDIUM] CWE-284 CVE-2023-23752: An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
nvd
CVE-2016-8869P1CRITICALCVSS 9.8ExploitedPoC≤ 3.6.32016-11-04
CVE-2016-8869 [CRITICAL] CWE-20 CVE-2016-8869: The register method in the UsersModelRegistration class in controllers/user.php in the Users compone The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
nvd
CVE-2016-8870P1HIGHCVSS 8.1ExploitedPoC≤ 3.6.32016-11-04
CVE-2016-8870 [HIGH] CWE-20 CVE-2016-8870: The register method in the UsersModelRegistration class in controllers/user.php in the Users compone The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
nvd
CVE-2015-8562P2HIGHCVSS 7.5ExploitedPoCv1.5.0v1.5.1+93 more2015-12-16
CVE-2015-8562 [HIGH] CWE-20 CVE-2015-8562: Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection atta Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
nvd
CVE-2015-7858P2HIGHCVSS 7.5ExploitedPoCv3.2.0v3.2.1+12 more2015-10-29
CVE-2015-7858 [HIGH] CVE-2015-7858: SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
nvd
CVE-2019-11358P2MEDIUMCVSS 6.1ExploitedPoC≥ 3.0.0, ≤ 3.9.42019-04-20
CVE-2019-11358 [MEDIUM] CWE-1321 CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(t jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
nvd
CVE-2013-5576P2MEDIUMCVSS 6.8ExploitedPoCv2.5.0v2.5.1+22 more2013-10-09
CVE-2013-5576 [MEDIUM] CWE-20 CVE-2013-5576: administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2. administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
nvd
CVE-2017-8917P1CRITICALCVSS 9.8PoCv3.7.02017-05-17
CVE-2017-8917 [CRITICAL] CWE-89 CVE-2017-8917: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2016-10045P1CRITICALCVSS 9.8PoC≥ 1.5.0, ≤ 3.6.52016-12-30
CVE-2016-10045 [CRITICAL] CVE-2016-10045: The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameter The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for
nvd
CVE-2015-7297P2HIGHCVSS 7.5PoCv3.2.0v3.2.1+13 more2015-10-29
CVE-2015-7297 [HIGH] CWE-89 CVE-2015-7297: SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
nvd
CVE-2015-7857P2HIGHCVSS 7.5PoCv3.2.0v3.2.1+13 more2015-10-29
CVE-2015-7857 [HIGH] CWE-89 CVE-2015-7857: SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthist SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.
nvd
CVE-2019-10945P2CRITICALCVSS 9.8PoC≥ 1.5.0, ≤ 3.9.42019-04-10
CVE-2019-10945 [CRITICAL] CWE-22 CVE-2019-10945: An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanit An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.
nvd
CVE-2014-7228P2HIGHCVSS 7.5PoCv2.5.4v2.5.5+43 more2014-11-03
CVE-2014-7228 [HIGH] CWE-310 CVE-2014-7228: Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when p
nvd
CVE-2019-12765P2CRITICALCVSS 9.8PoC≥ 3.9.0, ≤ 3.9.62019-06-11
CVE-2019-12765 [CRITICAL] CWE-1236 CVE-2019-12765: An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
nvd
CVE-2016-9838P3HIGHCVSS 7.5PoC≤ 3.6.42016-12-16
CVE-2016-9838 [HIGH] CWE-284 CVE-2016-9838: An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Inc An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targ
nvd
CVE-2014-7981P3HIGHCVSS 7.5PoCv3.1.0v3.1.1+8 more2014-10-08
CVE-2014-7981 [HIGH] CWE-89 CVE-2014-7981: SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to e SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2012-1563P3HIGHCVSS 7.5PoCfixed in 2.5.32020-01-15
CVE-2012-1563 [HIGH] CWE-269 CVE-2012-1563: Joomla! before 2.5.3 allows Admin Account Creation. Joomla! before 2.5.3 allows Admin Account Creation.
nvd
CVE-2020-35613P2CRITICALCVSS 9.8≥ 3.0.0, ≤ 3.9.222020-12-28
CVE-2020-35613 [CRITICAL] CWE-89 CVE-2020-35613: An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration lea An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
nvd
CVE-2012-1116P3HIGHCVSS 7.5PoCv1.7.0v1.7.1+6 more2012-09-26
CVE-2012-1116 [HIGH] CWE-89 CVE-2012-1116: SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execu SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
1 / 15Next →
Joomla ! vulnerabilities | cvebase