CVE-2018-17855
https://notcve.org/view.php?id=CVE-2018-17855
An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself. Se ha descubierto un problema en Joomla! en versiones anteriores a la 03/08/2013. • http://www.securityfocus.com/bid/105559 http://www.securitytracker.com/id/1041914 https://developer.joomla.org/security-centre/754-20181004-core-acl-violation-in-com-users-for-the-admin-verification • CWE-269: Improper Privilege Management •
CVE-2018-12712
https://notcve.org/view.php?id=CVE-2018-12712
An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion. Se ha descubierto un problema en Joomla! • http://www.securityfocus.com/bid/104566 http://www.securitytracker.com/id/1041245 https://developer.joomla.org/security-centre/741-20180601-core-local-file-inclusion-with-php-5-3 • CWE-20: Improper Input Validation •
CVE-2018-12711
https://notcve.org/view.php?id=CVE-2018-12711
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL. Se ha descubierto un problema de Cross-Site Scripting (XSS) en el módulo language switcher en Joomla! • http://www.securityfocus.com/bid/104565 http://www.securitytracker.com/id/1041244 https://developer.joomla.org/security-centre/740-20180602-core-xss-vulnerability-in-language-switcher-module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-8045
https://notcve.org/view.php?id=CVE-2018-8045
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view. En Joomla!, de la versión 3.5.0 a la 3.8.5, la falta de casting de tipos en una variable de una instrucción SQL conduce a una vulnerabilidad de inyección SQL en la vista de lista User Notes. • https://github.com/luckybool1020/CVE-2018-8045 http://www.securityfocus.com/bid/103402 http://www.securitytracker.com/id/1040540 https://developer.joomla.org/security-centre/723-20180301-core-sqli-vulnerability.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-16634
https://notcve.org/view.php?id=CVE-2017-16634
In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method. En Joomla! en versiones anteriores a la 3.8.2, un error permitía a terceras partes omitir el método de autenticación de doble factor de un usuario. • http://www.securityfocus.com/bid/101701 http://www.securitytracker.com/id/1039757 https://developer.joomla.org/security-centre/713-20171102-core-2-factor-authentication-bypass • CWE-287: Improper Authentication •