Joomla ! vulnerabilities

CVE-2024-26278 [MEDIUM] CWE-79 CVE-2024-26278: The Custom Fields component not correctly filter inputs, leading to a XSS vector. The Custom Fields component not correctly filter inputs, leading to a XSS vector.

CVE-2024-26279 [MEDIUM] CWE-79 CVE-2024-26279: The wrapper extensions do not correctly validate inputs, leading to XSS vectors. The wrapper extensions do not correctly validate inputs, leading to XSS vectors.

CVE-2024-21730 [MEDIUM] CWE-79 CVE-2024-21730: The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector. The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.

CVE-2024-21723 [MEDIUM] CWE-601 CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect. Inadequate parsing of URLs could result into an open redirect.

CVE-2024-21724 [MEDIUM] CWE-79 CVE-2024-21724: Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extens Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

CVE-2024-21725 [MEDIUM] CWE-79 CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

CVE-2024-21726 [MEDIUM] CWE-79 CVE-2024-21726: Inadequate content filtering leads to XSS vulnerabilities in various components. Inadequate content filtering leads to XSS vulnerabilities in various components.

CVE-2024-21722 [MEDIUM] CWE-613 CVE-2024-21722: The MFA management features did not properly terminate existing user sessions when a user's MFA meth The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

CVE-2023-40626 [HIGH] CVE-2023-40626: The language file parsing process could be manipulated to expose environment variables. Environment The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

CVE-2023-23755 [HIGH] CWE-307 CVE-2023-23755: An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute forc An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.

CVE-2023-23754 [MEDIUM] CWE-20 CVE-2023-23754: An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redi An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

CVE-2023-23752 [MEDIUM] CWE-284 CVE-2023-23752: An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

CVE-2023-23750 [MEDIUM] CWE-352 CVE-2023-23750: An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerab An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

CVE-2023-23751 [MEDIUM] CWE-863 CVE-2023-23751: An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin u An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.

CVE-2022-27914 [MEDIUM] CWE-79 CVE-2022-27914: An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially maliciou An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.

CVE-2022-27912 [MEDIUM] CWE-200 CVE-2022-27912: An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode expos An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.

CVE-2022-27913 [MEDIUM] CWE-79 CVE-2022-27913: An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially maliciou An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

CVE-2022-27911 [MEDIUM] CVE-2022-27911: An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.

CVE-2022-23795 [CRITICAL] CWE-287 CVE-2022-23795: An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bo An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an account takeover.

CVE-2022-23797 [CRITICAL] CWE-89 CVE-2022-23797: An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.