CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17856
https://notcve.org/view.php?id=CVE-2018-17856
An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled the ability of Administrator-level users to access com_joomlaupdate and trigger code execution. Se ha descubierto un problema en Joomla! en versiones anteriores a la 3.8.13. com_joomlaupdate permite la ejecución de código arbitrario. • http://www.securityfocus.com/bid/105559 http://www.securitytracker.com/id/1041914 https://developer.joomla.org/security-centre/752-20181002-core-inadequate-default-access-level-for-com-joomlaupdate.html •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12712
https://notcve.org/view.php?id=CVE-2018-12712
An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. The autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3, this function validates invalid names as valid, which can result in a Local File Inclusion. Se ha descubierto un problema en Joomla! • http://www.securityfocus.com/bid/104566 http://www.securitytracker.com/id/1041245 https://developer.joomla.org/security-centre/741-20180601-core-local-file-inclusion-with-php-5-3 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2018-12711
https://notcve.org/view.php?id=CVE-2018-12711
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL. Se ha descubierto un problema de Cross-Site Scripting (XSS) en el módulo language switcher en Joomla! • http://www.securityfocus.com/bid/104565 http://www.securitytracker.com/id/1041244 https://developer.joomla.org/security-centre/740-20180602-core-xss-vulnerability-in-language-switcher-module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 1CVE-2018-8045
https://notcve.org/view.php?id=CVE-2018-8045
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view. En Joomla!, de la versión 3.5.0 a la 3.8.5, la falta de casting de tipos en una variable de una instrucción SQL conduce a una vulnerabilidad de inyección SQL en la vista de lista User Notes. • https://github.com/luckybool1020/CVE-2018-8045 http://www.securityfocus.com/bid/103402 http://www.securitytracker.com/id/1040540 https://developer.joomla.org/security-centre/723-20180301-core-sqli-vulnerability.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16633
https://notcve.org/view.php?id=CVE-2017-16633
In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users. En Joomla! en versiones anteriores a la 3.8.2, un error de lógica en com_fields exponía información de solo lectura sobre los campos personalizados de una página a usuarios no autorizados. • http://www.securityfocus.com/bid/101702 http://www.securitytracker.com/id/1039757 https://developer.joomla.org/security-centre/715-20171103-core-information-disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •