CVE-2023-23752

Known exploited
Public exploit
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Max CVSS
5.3
EPSS Score
95.21%
Published
2023-02-16
Updated
2024-01-09
CISA KEV Added
2024-01-08

CVE-2017-8917

Public exploit
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
9.8
EPSS Score
97.56%
Published
2017-05-17
Updated
2019-04-16

CVE-2016-10045

Public exploit
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Max CVSS
9.8
EPSS Score
96.69%
Published
2016-12-30
Updated
2021-09-30

CVE-2016-10033

Public exploit
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Max CVSS
9.8
EPSS Score
97.13%
Published
2016-12-30
Updated
2021-09-30

CVE-2016-8870

Public exploit
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
Max CVSS
8.1
EPSS Score
91.42%
Published
2016-11-04
Updated
2017-07-29

CVE-2016-8869

Public exploit
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
Max CVSS
9.8
EPSS Score
92.93%
Published
2016-11-04
Updated
2016-11-07

CVE-2015-8562

Public exploit
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
Max CVSS
7.5
EPSS Score
97.31%
Published
2015-12-16
Updated
2018-10-09

CVE-2015-7858

Public exploit
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
Max CVSS
7.5
EPSS Score
84.85%
Published
2015-10-29
Updated
2017-09-13

CVE-2015-7857

Public exploit
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.
Max CVSS
7.5
EPSS Score
84.85%
Published
2015-10-29
Updated
2017-09-13

CVE-2015-7297

Public exploit
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
Max CVSS
7.5
EPSS Score
97.56%
Published
2015-10-29
Updated
2017-09-13

CVE-2014-7228

Public exploit
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.
Max CVSS
7.5
EPSS Score
95.17%
Published
2014-11-03
Updated
2016-05-09

CVE-2013-5576

Public exploit
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
Max CVSS
6.8
EPSS Score
78.47%
Published
2013-10-09
Updated
2013-12-01
An Open Redirect vulnerability was found in osTicky2 below 2.2.8. osTicky (osTicket Bridge) by SmartCalc is a Joomla 3.x extension that provides Joomla fronted integration with osTicket, a popular Support ticket system. The Open Redirect vulnerability allows attackers to control the return parameter in the URL to a base64 malicious URL.
Max CVSS
N/A
EPSS Score
0.06%
Published
2024-02-15
Updated
2024-02-16
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-11-29
Updated
2023-12-05
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-05-30
Updated
2023-06-06
An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.
Max CVSS
6.1
EPSS Score
0.06%
Published
2023-05-30
Updated
2023-06-06
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
Max CVSS
4.3
EPSS Score
0.07%
Published
2023-02-01
Updated
2023-02-09
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
Max CVSS
6.3
EPSS Score
0.06%
Published
2023-02-01
Updated
2023-02-08
An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.
Max CVSS
6.1
EPSS Score
0.31%
Published
2022-11-08
Updated
2023-12-02
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.
Max CVSS
6.1
EPSS Score
0.31%
Published
2022-10-25
Updated
2023-12-02
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
Max CVSS
5.3
EPSS Score
0.13%
Published
2022-10-25
Updated
2023-12-02
An issue was discovered in Joomla! 4.2.0. Multiple Full Path Disclosures because of missing '_JEXEC or die check' caused by the PSR12 changes.
Max CVSS
5.3
EPSS Score
0.12%
Published
2022-08-31
Updated
2022-09-05
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Possible XSS atack vector through SVG embedding in com_media.
Max CVSS
6.1
EPSS Score
0.25%
Published
2022-03-30
Updated
2022-04-05
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Inadequate content filtering leads to XSS vulnerabilities in various components.
Max CVSS
6.1
EPSS Score
0.25%
Published
2022-03-30
Updated
2022-04-05
An issue was discovered in Joomla! 4.0.0 through 4.1.0. Under specific circumstances, JInput pollutes method-specific input bags with $_REQUEST data.
Max CVSS
9.8
EPSS Score
0.20%
Published
2022-03-30
Updated
2022-04-05
487 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!