CVE-2019-9713
https://notcve.org/view.php?id=CVE-2019-9713
An issue was discovered in Joomla! before 3.9.4. The sample data plugins lack ACL checks, allowing unauthorized access. Se ha descubierto un problema en versiones anteriores a la 3.9.4 de Joomla!. Los plugins de datos de muestra carecen de comprobaciones de listas de control de acceso, posibilitando un acceso no autorizado. • http://www.securityfocus.com/bid/107372 https://developer.joomla.org/security-centre/775-20190304-core-missing-acl-check-in-sample-data-plugins • CWE-862: Missing Authorization •
CVE-2019-7744
https://notcve.org/view.php?id=CVE-2019-7744
An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability. Se ha descubierto un problema en versiones anteriores a la 3.9.3 de Joomla!. El filtrado inadecuado de los campos de URL en varios componentes core podría conducir a una vulnerabilidad XSS. • https://developer.joomla.org/security-centre/765-20190201-core-lack-of-url-filtering-in-various-core-components • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-7739
https://notcve.org/view.php?id=CVE-2019-7739
An issue was discovered in Joomla! before 3.9.3. The "No Filtering" textfilter overrides child settings in the Global Configuration. This is intended behavior. However, it might be unexpected for the user because the configuration dialog lacks an additional message to explain this. • http://www.securityfocus.com/bid/107015 https://developer.joomla.org/security-centre/767-20190203-core-additional-warning-in-the-global-configuration-textfilter-settings •
CVE-2019-7742
https://notcve.org/view.php?id=CVE-2019-7742
An issue was discovered in Joomla! before 3.9.3. A combination of specific web server configurations, in connection with specific file types and browser-side MIME-type sniffing, causes an XSS attack vector. Se ha descubierto un problema en versiones anteriores a la 3.9.3 de Joomla!. Una combinación de configuraciones específicas del servidor web, junto con tipos de archivo concretos y el rastreo de tipo MIME del lado del servidor, provoca un vector de ataque XSS. • https://developer.joomla.org/security-centre/766-20190202-core-browserside-mime-type-sniffing-causes-xss-attack-vectors • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-7743
https://notcve.org/view.php?id=CVE-2019-7743
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. Se ha descubierto un problema en versiones anteriores a la 3.9.3 de Joomla!. El wrapper de transmisión phar:// puede emplearse para ataques de inyección de objetos debido a que no existe un mecanismo de protección (como el wrapper de transmisión PHAR TYPO3) para evitar el uso del manejador phar:// para los archivos que no son .phar. • http://www.securityfocus.com/bid/107050 https://developer.joomla.org/security-centre/770-20190206-core-implement-the-typo3-phar-stream-wrapper • CWE-502: Deserialization of Untrusted Data CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •