Joomla ! vulnerabilities

CVE-2018-11327 [MEDIUM] CWE-200 CVE-2018-11327: An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the nam An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission.

CVE-2018-8045 [HIGH] CWE-89 CVE-2018-8045: In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.

CVE-2018-6376 [CRITICAL] CWE-89 CVE-2018-6376: In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL in In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

CVE-2018-6377 [MEDIUM] CWE-79 CVE-2018-6377: In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in m In Joomla! before 3.8.4, inadequate input filtering in com_fields leads to an XSS vulnerability in multiple field types, i.e., list, radio, and checkbox

CVE-2018-6380 [MEDIUM] CWE-79 CVE-2018-6380: In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the In Joomla! before 3.8.4, lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.

CVE-2018-6379 [MEDIUM] CWE-79 CVE-2018-6379: In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS In Joomla! before 3.8.4, inadequate input filtering in the Uri class (formerly JUri) leads to an XSS vulnerability.

CVE-2017-16634 [CRITICAL] CWE-287 CVE-2017-16634: In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication meth In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method.

CVE-2017-16633 [MEDIUM] CWE-200 CVE-2017-16633: In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's cust In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.

CVE-2017-14596 [CRITICAL] CWE-90 CVE-2017-14596: In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a discl In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.

CVE-2015-5608 [MEDIUM] CWE-601 CVE-2015-5608: Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1. Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1.

CVE-2017-14595 [LOW] CVE-2017-14595: In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro te In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.

CVE-2017-11364 [HIGH] CWE-295 CVE-2017-11364: The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which al The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs.

CVE-2017-11612 [MEDIUM] CWE-79 CVE-2017-11612: In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulner In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.

CVE-2017-9933 [HIGH] CWE-200 CVE-2017-9933: Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents. Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents.

CVE-2017-9934 [MEDIUM] CWE-79 CVE-2017-9934: Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to a Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.

CVE-2017-8917 [CRITICAL] CWE-89 CVE-2017-8917: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2017-7987 [MEDIUM] CWE-79 CVE-2017-7987: In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.

CVE-2017-7989 [MEDIUM] CWE-434 CVE-2017-7989: In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege u In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

CVE-2017-7985 [MEDIUM] CWE-79 CVE-2017-7985: In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.

CVE-2017-7983 [MEDIUM] CWE-200 CVE-2017-7983: In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMa In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers.