CVE-2015-5397
https://notcve.org/view.php?id=CVE-2015-5397
Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload code via unknown vectors. Vulnerabilidad de falsificación de petición de sitios cruzados (CSRF) en Joomla! 3.2.0 a través de 3.3x y 3.4x antes de 3.4.2 que permite a atacantes secuestrar la autenticación de víctimas no especificadas para enviar peticiones que descargan código a través de vectores desconocidos. • http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html http://www.securityfocus.com/bid/76495 http://www.securitytracker.com/id/1032796 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2015-4654
https://notcve.org/view.php?id=CVE-2015-4654
SQL injection vulnerability in the EQ Event Calendar component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to eqfullevent. Vulnerabilidad de inyección SQL en el componente EQ Event Calendar para Joomla! permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id en eqfullevent. • http://packetstormsecurity.com/files/132220/Joomla-EQ-Event-Calendar-SQL-Injection.html http://www.securityfocus.com/bid/75261 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-7228 – Joomla! Component Akeeba Kickstart - Unserialize Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-7228
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive. Akeeba Restore (restore.php), utilizado en Joomla! 2.5.4 hasta 2.5.25, 3.x hasta 3.2.5, y 3.3.0 hasta 3.3.4; Akeeba Backup para Joomla! • https://www.exploit-db.com/exploits/35033 http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228 https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html • CWE-310: Cryptographic Issues •
CVE-2014-7982
https://notcve.org/view.php?id=CVE-2014-7982
Cross-site scripting (XSS) vulnerability in Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Joomla! CMS 2.5.x anterior a 2.5.19 y 3.x anterior a 3.2.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://developer.joomla.org/security/580-20140303-core-xss-vulnerability.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-6631
https://notcve.org/view.php?id=CVE-2014-6631
Cross-site scripting (XSS) vulnerability in com_media in Joomla! 3.2.x before 3.2.5 and 3.3.x before 3.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en com_media en Joomla! 3.2.x anterior a 3.2.5 y 3.3.x anterior a 3.3.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://developer.joomla.org/security/593-20140901-core-xss-vulnerability.html http://secunia.com/advisories/61606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •