CVSS: 8.8EPSS: 0%CPEs: 180EXPL: 0CVE-2017-11364
https://notcve.org/view.php?id=CVE-2017-11364
02 Aug 2017 — The CMS installer in Joomla! before 3.7.4 does not verify a user's ownership of a webspace, which allows remote authenticated users to gain control of the target application by leveraging Certificate Transparency logs. El instalador CMS en versiones anteriores a la 3.7.4 de Joomla! no verifica la propiedad de un usuario en un espacio web, lo que permite que usuarios remotos autenticados consigan control sobre la aplicación objetivo, haciendo uso de los logs del estándar Certificate Transparency. • http://www.securitytracker.com/id/1039015 • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 160EXPL: 0CVE-2017-11612
https://notcve.org/view.php?id=CVE-2017-11612
26 Jul 2017 — In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. En Joomla! en versiones anteriores a la 3.7.4, el filtrado inadecuado de etiquetas HTML potencialmente maliciosas conduce a vulnerabilidades XSS en varios componentes. • http://www.securitytracker.com/id/1039014 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 103EXPL: 1CVE-2017-9934
https://notcve.org/view.php?id=CVE-2017-9934
17 Jul 2017 — Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability. Perdidos tokens CSRF verificados y validación inapropiada de la entrada en Joomla! CMS 1.7.3 hasta la 3.7.2 que lleva a una vulnerabilidad XSS. • https://github.com/xyringe/CVE-2017-9934 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 114EXPL: 0CVE-2017-9933
https://notcve.org/view.php?id=CVE-2017-9933
17 Jul 2017 — Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents. Invalidación del cache inapropiada en Joomla! CMS 1.7.3 hasta la 3.7.2 que lleva a una revelación de los contenidos • http://www.securityfocus.com/bid/99450 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 94%CPEs: 1EXPL: 13CVE-2017-8917 – Joomla! 3.7.0 - 'com_fields' SQL Injection
https://notcve.org/view.php?id=CVE-2017-8917
17 May 2017 — SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en Joomla! 3.7.x versiones anteriores a 3.7.1 permite a los atacantes ejecutar comandos SQL arbitrarios a través de vectores no especificados. The Joomla version 3.7.0 fields component suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/146946 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 57EXPL: 0CVE-2017-7989
https://notcve.org/view.php?id=CVE-2017-7989
25 Apr 2017 — In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden. Una inadecuada comprobación de tipos MIME en Joomla! 3.2.0 hasta 3.6.5 permite a usuarios con pocos privilegios cargar archivos swf aunque estén explícitamente prohibidos. • http://www.securityfocus.com/bid/98029 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 137EXPL: 0CVE-2017-7986
https://notcve.org/view.php?id=CVE-2017-7986
25 Apr 2017 — In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components. Un unadecuado sistema de filtrado de atributos HTML en Joomla! 1.5.0 hasta 3.6.5 permite realizar un ataque de cross-site scripting en varios componentes. • http://www.securityfocus.com/bid/98024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 57EXPL: 0CVE-2017-7987
https://notcve.org/view.php?id=CVE-2017-7987
25 Apr 2017 — In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component. El escapado inadecuado de nombres de ficheros y directorios en Joomla! 3.2.0 hasta 3.6.5 deriva en vulnerabilidades XSS en el gestor de plantillas. El fallo se ha corregido en la versión 3.7.0. • http://www.securityfocus.com/bid/98021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 57EXPL: 0CVE-2017-7984
https://notcve.org/view.php?id=CVE-2017-7984
25 Apr 2017 — In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component. Un inadecuado sistema de filtrado en Joomla! 3.2.0 hasta 3.6.5 permite realizar un ataque de cross-site scripting en el componente template manager. • http://www.securityfocus.com/bid/98018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 137EXPL: 0CVE-2017-7983
https://notcve.org/view.php?id=CVE-2017-7983
25 Apr 2017 — In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers. Al enviar un email utilizando JMail API, en Joomla! 1.5.0 hasta 3.6.5, se divulga en la cabecera del email la versión de PHPMailer utilizada. El fallo ha sido corregido en la versión 3.7.0. • http://www.securityfocus.com/bid/98016 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •