Skip to content
Threat Feed
Subscribe

Tag

Joomla

29 briefs RSS
high advisory

Joomla com_booking Information Disclosure (CVE-2023-54357)

An unauthenticated information disclosure vulnerability (CVE-2023-54357) in the Joomla com_booking component version 2.4.9 allows attackers to enumerate user accounts, including names, usernames, and email addresses, by exploiting the getUserData function via specific GET requests.

Joomla! com_booking component 2.4.9 joomla web-vulnerability information-disclosure cve
1r 2t
high advisory

Joomla! Calendar Planner 1.0.1 SQL Injection (CVE-2017-20267)

An unauthenticated attacker can exploit CVE-2017-20267, an SQL injection vulnerability in Joomla! Component Calendar Planner 1.0.1, by sending malicious GET requests to the 'events' view via the 'category_id' parameter, allowing for sensitive database information extraction.

Calendar Planner 1.0.1 sqli web-vulnerability joomla cve
1r 1t
high advisory

Joomla SP Movie Database Unauthenticated SQL Injection (CVE-2017-20266)

An SQL injection vulnerability, CVE-2017-20266, in Joomla SP Movie Database version 1.3 allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the `searchword` parameter in GET requests to the `searchresults` view, enabling extraction of sensitive database information.

SP Movie Database 1.3 sqli web-application joomla cve
2r 3t 1c
high advisory

Joomla! Component Flip Wall SQL Injection (CVE-2017-20265)

An SQL injection vulnerability, CVE-2017-20265, in Joomla! Component Flip Wall 8.0 allows unauthenticated attackers to execute arbitrary SQL queries via malicious GET requests to the `wallid` parameter, enabling the extraction of sensitive database information.

Flip Wall 8.0 sql-injection web-vulnerability joomla cve data-exfiltration
2r 3t
high advisory

Joomla! Component Sponsor Wall 8.0 SQL Injection (CVE-2017-20264)

An unauthenticated SQL injection vulnerability (CVE-2017-20264) in Joomla! Component Sponsor Wall version 8.0 allows attackers to execute arbitrary SQL queries by injecting malicious code into the `wallid` parameter of GET requests to `index.php`, leading to the extraction of sensitive database information such as credentials and configuration data.

Joomla! Component Sponsor Wall 8.0 sql-injection joomla web-application vulnerability cve
1r 3t
high advisory

Joomla! FocalPoint Pro/Free SQL Injection (CVE-2017-20263)

An unauthenticated SQL injection vulnerability (CVE-2017-20263) in Joomla! Component FocalPoint Pro/Free version 1.2.3 allows attackers to execute arbitrary SQL queries via a crafted 'id' parameter in GET requests, leading to sensitive database information disclosure.

FocalPoint Pro/Free sqli web-vulnerability joomla data-exfiltration
1r 3t 1c
high threat

CVE-2017-20262 — Joomla! Component Ajax Quiz SQL Injection

An unauthenticated SQL injection vulnerability, CVE-2017-20262, in Joomla! Component Ajax Quiz version 1.8 allows attackers to execute arbitrary SQL queries by injecting malicious code through the `cid` parameter in GET requests to `index.php` with `option=com_ajaxquiz` and `view=ajaxquiz`, leading to extraction of sensitive database information.

exploited Ajax Quiz 1.8 sql-injection web-vulnerability joomla cve
1r 3t
high advisory

CVE-2017-20261: Joomla! Bargain Product VM3 SQL Injection Vulnerability

An unauthenticated attacker can exploit CVE-2017-20261, a critical SQL injection vulnerability in Joomla! Component Bargain Product VM3 1.0, by injecting malicious code into the 'product_id' parameter within GET requests to the 'brainy' or 'alice' views, allowing them to execute arbitrary SQL queries and extract sensitive database information.

Bargain Product VM3 1.0 sql-injection joomla web-application cve data-exfiltration
2r 2t
high advisory

Joomla OSDownloads SQL Injection (CVE-2017-20259)

An unauthenticated SQL injection vulnerability (CVE-2017-20259) in Joomla OSDownloads version 1.7.4 allows attackers to execute arbitrary SQL queries via a crafted GET request to index.php, extracting sensitive database information like credentials and configuration data.

OSDownloads 1.7.4 sql-injection web-vulnerability joomla cve
2r 3t 1c
high advisory

Joomla! Component RPC Responsive Portfolio 1.6.1 SQL Injection (CVE-2017-20258)

Unauthenticated attackers can exploit an SQL injection vulnerability (CVE-2017-20258) in Joomla! Component RPC Responsive Portfolio 1.6.1 by injecting malicious code through the 'id' parameter in GET requests, allowing the execution of arbitrary SQL queries and extraction of sensitive database information.

RPC Responsive Portfolio 1.6.1 sql-injection web-vulnerability joomla cve data-exfiltration
1r 2t 1c
high advisory

CVE-2017-20257: Joomla! Component Quiz Deluxe SQL Injection

An unauthenticated SQL injection vulnerability (CVE-2017-20257) in Joomla! Component Quiz Deluxe 3.7.4 allows attackers to execute arbitrary SQL commands and extract sensitive information via the `ajaxaction.flag_question` task using `stu_quiz_id` or `flag_quest` parameters.

Quiz Deluxe 3.7.4 sql-injection web-application joomla cve data-exfiltration
2r 3t 1c
high advisory

CVE-2017-20256 - Joomla Survey Force Deluxe SQL Injection Vulnerability

CVE-2017-20256 describes an SQL injection vulnerability in Joomla Survey Force Deluxe 3.2.4 that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'invite' parameter in GET requests, enabling the extraction of sensitive database information.

Survey Force Deluxe 3.2.4 sql-injection joomla web-application vulnerability cve
2r 3t
high advisory

Joomla! Component JB Visa 1.0 SQL Injection (CVE-2017-20255)

An unauthenticated SQL injection vulnerability (CVE-2017-20255) in Joomla! Component JB Visa 1.0 allows attackers to execute arbitrary SQL queries by injecting malicious code via the 'visatype' parameter in GET requests to 'index.php?option=com_bookpro&view=popup', leading to the extraction of sensitive database information including credentials.

JB Visa 1.0 sql-injection joomla web-vulnerability cve
2r 2t
high advisory

Joomla! User Bench Component SQL Injection (CVE-2017-20254)

An unauthenticated attacker can exploit CVE-2017-20254, an SQL injection vulnerability in the Joomla! Component User Bench 1.0, by sending crafted HTTP GET requests to extract sensitive database information including credentials and configuration data.

User Bench 1.0 sqli joomla web-vulnerability cve
1r 3t
high advisory

CVE-2017-20253: Joomla! Component My Projects 2.0 SQL Injection Vulnerability

An unauthenticated SQL injection vulnerability (CVE-2017-20253) in Joomla! Component My Projects 2.0 allows attackers to execute arbitrary SQL queries via the 'VerAyari' parameter, leading to the extraction of sensitive database information including credentials and system data.

My Projects 2.0 sql-injection web-application joomla cve
2r 3t
high advisory

CVE-2017-20252: Joomla NextGen Editor SQL Injection

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability (CVE-2017-20252) that allows unauthenticated attackers to execute arbitrary SQL commands through the `plname` parameter in crafted GET requests to `index.php?option=com_nge&view=config`, leading to the extraction of sensitive database information.

NextGen Editor 2.1.0 sqli web-vulnerability joomla cve data-exfiltration
2r 4t
high advisory

CVE-2018-25433 - Joomla JE Photo Gallery SQL Injection

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability, tracked as CVE-2018-25433, allowing unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter.

JE Photo Gallery 1.1 cve-2018-25433 sqli joomla
1r 1t 1c
high advisory

Multiple Vulnerabilities in Joomla! Allow Privilege Escalation and Data Breaches

Multiple vulnerabilities in Joomla! versions before 5.4.6 and 6.x before 6.1.1 can allow attackers to perform privilege escalation, compromise data confidentiality, perform cross-site scripting (XSS), and conduct cross-site request forgery (CSRF) attacks.

Joomla! < 5.4.6 +1 joomla vulnerability privilege-escalation xss csrf data-breach
2r 2t 5c
high advisory

Joomla Responsive Portfolio SQL Injection Vulnerability (CVE-2018-25381)

Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability, allowing authenticated attackers to execute arbitrary SQL commands through crafted POST requests.

Responsive Portfolio 1.6.1 sql-injection cve-2018-25381 joomla
1r 1t 1c
high advisory

Joomla eXtroForms SQL Injection Vulnerability (CVE-2018-25380)

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability (CVE-2018-25380) that allows authenticated attackers to execute arbitrary SQL commands via crafted POST requests, potentially leading to sensitive data exposure.

eXtroForms 2.1.5 sqli joomla cve-2018-25380
2r 1t 1c
high advisory

Joomla! Ek Rishta Component 2.10 SQL Injection Vulnerability

Joomla! Component Ek Rishta version 2.10 is vulnerable to SQL injection allowing unauthenticated attackers to manipulate database queries by injecting SQL code via the cid parameter through GET requests to the user_detail view, potentially extracting sensitive database information.

Ek Rishta 2.10 sql-injection joomla vulnerability
2r 1t 1c
high advisory

CVE-2018-25330: Joomla! EkRishta Extension Vulnerabilities

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities, allowing attackers to inject malicious code through profile fields and POST parameters, potentially leading to information disclosure or arbitrary code execution.

EkRishta 2.10 cve joomla ekrishta xss sql injection web application vulnerability
2r 1t 1c
high advisory

Joomla J2 JOBS 1.3.0 Authenticated SQL Injection Vulnerability (CVE-2020-37226)

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37226) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter via POST requests, potentially leading to sensitive data extraction.

J2 JOBS 1.3.0 +1 sql-injection joomla j2-jobs cve-2020-37226
2r 1t 1c
high advisory

Joomla J2 JOBS 1.3.0 Authenticated SQL Injection Vulnerability (CVE-2020-37224)

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37224) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter, potentially leading to sensitive information disclosure.

J2 JOBS 1.3.0 sql-injection joomla cve-2020-37224 web-application
2r 1t 1c
medium advisory

Joomla com_fabrik Directory Traversal Vulnerability (CVE-2020-37219)

Joomla com_fabrik 3.9.11 is vulnerable to a directory traversal attack (CVE-2020-37219) where an unauthenticated attacker can list arbitrary files by manipulating the folder parameter in a GET request to the onAjax_files method, using path traversal sequences to access system directories outside the web root.

com_fabrik 3.9.11 directory-traversal web-application joomla
2r 1t 1c
high advisory

Joomla com_hdwplayer 4.2 SQL Injection Vulnerability

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter.

com_hdwplayer 4.2 sql-injection joomla cve-2020-37218 web-application
2r 1t 1c
high advisory

CVE-2021-47930: Balbooa Joomla Forms Builder Unauthenticated SQL Injection

Balbooa Joomla Forms Builder version 2.0.6 is vulnerable to unauthenticated SQL injection via POST requests to the com_baforms component, allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information by manipulating the 'id' parameter in a JSON payload.

Forms Builder 2.0.6 +1 sql-injection joomla cve-2021-47930 web-application
2r 1t 1c
critical advisory

Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.

wordpress joomla remote-code-execution plugin
3r 9t 1c
critical advisory

Joomla com_mb24sysapi Module Unauthenticated RCE (CVE-2026-32968)

An unauthenticated remote attacker can exploit an OS command injection vulnerability (CVE-2026-32968) in the com_mb24sysapi module of Joomla, leading to remote code execution and full system compromise.

cve-2026-32968 joomla rce command-injection
2r 1t