CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12766
https://notcve.org/view.php?id=CVE-2019-12766
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. Un problema fue descubierto en Joomla! • http://www.securityfocus.com/bid/108735 https://developer.joomla.org/security-centre/784-20190602-core-xss-in-subform-field • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-12765 – Joomla! 3.9.0 < 3.9.7 - CSV Injection
https://notcve.org/view.php?id=CVE-2019-12765
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection. Se descubrió un problema en Joomla anterior 3.9.7 la exportación CSV de com_actionslogs es vulnerable a la inyección de CSV. • https://www.exploit-db.com/exploits/48198 http://www.securityfocus.com/bid/108736 https://developer.joomla.org/security-centre/783-20190601-core-csv-injection-in-com-actionlogs • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12764
https://notcve.org/view.php?id=CVE-2019-12764
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users. Se descubrió un problema en Joomla! Anterior del 3.9.7. • http://www.securityfocus.com/bid/108729 https://developer.joomla.org/security-centre/785-20190603-core-acl-hardening-of-com-joomlaupdate •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11809
https://notcve.org/view.php?id=CVE-2019-11809
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. Un problema fue descubierto en Joomla antes del 3.9.6. Las vistas de depuración de com_users no escapan correctamente a los datos proporcionados por el usuario, lo que conduce a un posible vector de ataque XSS. • https://developer.joomla.org/security-centre/780-20190501-core-xss-in-com-users-acl-debug-view • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 218EXPL: 4CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propiedad enumerable __proto__, podría extender el Object.prototype nativo. A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. • https://github.com/isacaya/CVE-2019-11358 https://github.com/ossf-cve-benchmark/CVE-2019-11358 https://github.com/Snorlyd/https-nj.gov---CVE-2019-11358 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •