CVE-2012-2902
https://notcve.org/view.php?id=CVE-2012-2902
Unrestricted file upload vulnerability in editor/extensions/browser/file.php in the Joomla Content Editor (JCE) component before 2.1 for Joomla!, when chunking is set to greater than zero, allows remote authors to execute arbitrary PHP code by uploading a PHP file with a double extension as demonstrated by .jpg.pht. Vulnerabilidad de subida de archivos sin restricción en editor/extensions/browser/file.php en el componente Joomla Content Editor (JCE) anteriores a v2.1 para Joomla!, cunado el valor «chunking» está fijado a un valor mayor que 0, permite a autores remotos ejecutar código de su elección subiendo un archivo con una doble extensión en su nombre, como se ha demostrado con el nombre de archivo .jpg.pht. • http://osvdb.org/81980 http://secunia.com/advisories/49206 http://secunia.com/secunia_research/2012-15 http://www.joomlacontenteditor.net/news/item/jce-21-released?category_id=32 http://www.securityfocus.com/bid/51002 https://exchange.xforce.ibmcloud.com/vulnerabilities/75671 •
CVE-2012-2901
https://notcve.org/view.php?id=CVE-2012-2901
Cross-site scripting (XSS) vulnerability in the Profile List in the Joomla Content Editor (JCE) component before 2.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the search parameter to administrator/index.php. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la lista de perfiles ("Profile List") del componente Joomla Content Editor (JCE) en versiones anteriores a la 2.1 de Joomla!. Permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parametro search de administrator/index.php. • http://secunia.com/advisories/49206 http://secunia.com/secunia_research/2012-14 http://www.joomlacontenteditor.net/news/item/jce-21-released?category_id=32 http://www.securityfocus.com/bid/53559 https://exchange.xforce.ibmcloud.com/vulnerabilities/75670 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2413 – Joomla 1.5.26 ja_purity Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-2413
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php. Vulnerabilidad de XSS en la plantilla ja_purity para Joomla! 1.5.26 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro Mod* cookie en html/modules.php. Joomla version 1.5.26 suffers from a cross site scripting vulnerability in the ja_purity template. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0021.html http://www.securityfocus.com/bid/53382 http://www.waraxe.us/advisory-87.html https://exchange.xforce.ibmcloud.com/vulnerabilities/75398 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1018 – Joomla! Component Currency Converter 1.0.0 - 'from' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-1018
Cross-site scripting (XSS) vulnerability in includes/convert.php in D-Mack Media Currency Converter (mod_currencyconverter) module 1.0.0 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the from parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en includes/convert.php en el módulo D-Mack Media Currency Converter (mod_currencyconverter) v1.0.0 para Joomla! permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro from. • https://www.exploit-db.com/exploits/36659 http://dl.packetstormsecurity.net/1202-exploits/joomlacurrencyconverter-xss.txt http://www.securityfocus.com/bid/51804 https://exchange.xforce.ibmcloud.com/vulnerabilities/72917 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-5004
https://notcve.org/view.php?id=CVE-2011-5004
Unrestricted file upload vulnerability in models/importcsv.php in the Fabrik (com_fabrik) component before 2.1.1 for Joomla! allows remote authenticated users with Manager privileges to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. Vulnerabilidad de subida no restringida de ficheros en models/importcsv.php en el componente Fabrik (com_fabrik) anterior a v2.1.1 para Joomla! permite a atacantes remotos con privilegios Manager ejecutar código de su elección al subir un fichero con una extensión ejecutable, accediendo posteriormente mediante una petición directa del fichero en un directorio no especificado. • http://secunia.com/advisories/47036 http://www.ohloh.net/p/3417/commits/145749116 http://www.osvdb.org/77371 http://www.securityfocus.com/bid/50823 http://www.vulnerability-lab.com/get_content.php?id=342 •