CVE-2018-12711
https://notcve.org/view.php?id=CVE-2018-12711
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL. Se ha descubierto un problema de Cross-Site Scripting (XSS) en el módulo language switcher en Joomla! • http://www.securityfocus.com/bid/104565 http://www.securitytracker.com/id/1041244 https://developer.joomla.org/security-centre/740-20180602-core-xss-vulnerability-in-language-switcher-module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-8045
https://notcve.org/view.php?id=CVE-2018-8045
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view. En Joomla!, de la versión 3.5.0 a la 3.8.5, la falta de casting de tipos en una variable de una instrucción SQL conduce a una vulnerabilidad de inyección SQL en la vista de lista User Notes. • https://github.com/luckybool1020/CVE-2018-8045 http://www.securityfocus.com/bid/103402 http://www.securitytracker.com/id/1040540 https://developer.joomla.org/security-centre/723-20180301-core-sqli-vulnerability.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-16634
https://notcve.org/view.php?id=CVE-2017-16634
In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method. En Joomla! en versiones anteriores a la 3.8.2, un error permitía a terceras partes omitir el método de autenticación de doble factor de un usuario. • http://www.securityfocus.com/bid/101701 http://www.securitytracker.com/id/1039757 https://developer.joomla.org/security-centre/713-20171102-core-2-factor-authentication-bypass • CWE-287: Improper Authentication •
CVE-2017-16633
https://notcve.org/view.php?id=CVE-2017-16633
In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users. En Joomla! en versiones anteriores a la 3.8.2, un error de lógica en com_fields exponía información de solo lectura sobre los campos personalizados de una página a usuarios no autorizados. • http://www.securityfocus.com/bid/101702 http://www.securitytracker.com/id/1039757 https://developer.joomla.org/security-centre/715-20171103-core-information-disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-14596
https://notcve.org/view.php?id=CVE-2017-14596
In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. En Joomla! en versiones anteriores a la 3.8.0, un escape inadecuado en el plugin de autenticación LDAP puede resultar en una divulgación del nombre de usuario y la contraseña. • http://www.securityfocus.com/bid/100898 http://www.securitytracker.com/id/1039407 https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596 https://developer.joomla.org/security-centre/711-20170902-core-ldap-information-disclosure • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •