CVSS: 9.8EPSS: 55%CPEs: 1EXPL: 3CVE-2019-10945 – Joomla! Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2019-10945
An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory. Un problema fue descubierto en Joomla! versiones anteriores a 3.9.5. • https://www.exploit-db.com/exploits/46710 https://github.com/dpgg101/CVE-2019-10945 http://packetstormsecurity.com/files/152515/Joomla-3.9.4-Arbitrary-File-Deletion-Directory-Traversal.html https://developer.joomla.org/security-centre/777-20190401-core-directory-traversal-in-com-media • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9712
https://notcve.org/view.php?id=CVE-2019-9712
An issue was discovered in Joomla! before 3.9.4. The JSON handler in com_config lacks input validation, leading to XSS. Se ha descubierto un problema en versiones anteriores a la 3.9.4 de Joomla!. El manipulador JSON en com_config carece de una validación de entradas, conduciendo a Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/107374 https://developer.joomla.org/security-centre/772-20190301-core-xss-in-com-config-json-handler • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9711
https://notcve.org/view.php?id=CVE-2019-9711
An issue was discovered in Joomla! before 3.9.4. The item_title layout in edit views lacks escaping, leading to XSS. Se ha descubierto un problema en versiones anteriores a la 3.9.4 de Joomla!. El diseño item_title en edit views carece de la funcionalidad de escape, conduciendo a Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/107371 https://developer.joomla.org/security-centre/773-20190302-core-xss-in-item-title-layout • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9714
https://notcve.org/view.php?id=CVE-2019-9714
An issue was discovered in Joomla! before 3.9.4. The media form field lacks escaping, leading to XSS. Se ha descubierto un problema en versiones anteriores a la 3.9.4 de Joomla!. El campo "media form" carece de la funcionalidad de escape, conduciendo a Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/107369 https://developer.joomla.org/security-centre/774-20190303-core-xss-in-media-form-field • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-7743
https://notcve.org/view.php?id=CVE-2019-7743
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. Se ha descubierto un problema en versiones anteriores a la 3.9.3 de Joomla!. El wrapper de transmisión phar:// puede emplearse para ataques de inyección de objetos debido a que no existe un mecanismo de protección (como el wrapper de transmisión PHAR TYPO3) para evitar el uso del manejador phar:// para los archivos que no son .phar. • http://www.securityfocus.com/bid/107050 https://developer.joomla.org/security-centre/770-20190206-core-implement-the-typo3-phar-stream-wrapper • CWE-502: Deserialization of Untrusted Data CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •