CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8420
https://notcve.org/view.php?id=CVE-2020-8420
28 Jan 2020 — An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability. Se detectó un problema en Joomla! versiones anteriores a 3.9.15. • https://developer.joomla.org/security-centre/799-20200102-core-csrf-com-templates-less-compiler • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19846
https://notcve.org/view.php?id=CVE-2019-19846
18 Dec 2019 — In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors. En Joomla! versiones anteriores a la versión 3.9.14, la falta de comprobación de los parámetros de configuración utilizados en las consultas SQL causó varios vectores de inyección SQL. • https://developer.joomla.org/security-centre/797-20191202-core-various-sql-injections-through-configuration-parameters • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18650
https://notcve.org/view.php?id=CVE-2019-18650
06 Nov 2019 — An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability. Se descubrió un problema en Joomla! versiones anteriores a la versión 3.9.13. • https://developer.joomla.org/security-centre/794-20191001-core-csrf-in-com-template-overrides-view.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18674
https://notcve.org/view.php?id=CVE-2019-18674
06 Nov 2019 — An issue was discovered in Joomla! before 3.9.13. A missing access check in the phputf8 mapping files could lead to a path disclosure. Se descubrió un problema en Joomla! versiones anteriores a 3.9.13. • https://developer.joomla.org/security-centre/795-20191002-core-path-disclosure-in-phpuft8-mapping-files.html • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 4%CPEs: 1EXPL: 0CVE-2019-16725
https://notcve.org/view.php?id=CVE-2019-16725
24 Sep 2019 — In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates. En Joomla! versiones 3.x anteriores a 3.9.12, el escape inadecuado permitió ataques de tipo XSS utilizando el parámetro logo de las plantillas predeterminadas. • https://developer.joomla.org/security-centre/791-20190901-core-xss-in-logo-parameter-of-default-templates.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15028
https://notcve.org/view.php?id=CVE-2019-15028
14 Aug 2019 — In Joomla! before 3.9.11, inadequate checks in com_contact could allow mail submission in disabled forms. En Joomla! versiones anteriores a 3.9.11, las comprobaciones inadecuadas en la función com_contact podrían permitir el envío de correo en formularios deshabilitados. • https://developer.joomla.org/security-centre/789-20190801-core-hardening-com-contact-contact-form •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12766
https://notcve.org/view.php?id=CVE-2019-12766
11 Jun 2019 — An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors. Un problema fue descubierto en Joomla! • http://www.securityfocus.com/bid/108735 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11809
https://notcve.org/view.php?id=CVE-2019-11809
20 May 2019 — An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. Un problema fue descubierto en Joomla antes del 3.9.6. Las vistas de depuración de com_users no escapan correctamente a los datos proporcionados por el usuario, lo que conduce a un posible vector de ataque XSS. • https://developer.joomla.org/security-centre/780-20190501-core-xss-in-com-users-acl-debug-view • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 218EXPL: 7CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
19 Apr 2019 — jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propi... • https://github.com/isacaya/CVE-2019-11358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10946
https://notcve.org/view.php?id=CVE-2019-10946
10 Apr 2019 — An issue was discovered in Joomla! before 3.9.5. The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users. Se descubrió un problema en Joomla! versión anterior al 3.9.5. • https://developer.joomla.org/security-centre/778-20190402-core-helpsites-refresh-endpoint-callable-for-unauthenticated-users • CWE-306: Missing Authentication for Critical Function •