Joomla

An unauthenticated information disclosure vulnerability (CVE-2023-54357) in the Joomla com_booking component version 2.4.9 allows attackers to enumerate user accounts, including names, usernames, and email addresses, by exploiting the getUserData function via specific GET requests.

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability, tracked as CVE-2018-25433, allowing unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter.

Multiple vulnerabilities in Joomla! versions before 5.4.6 and 6.x before 6.1.1 can allow attackers to perform privilege escalation, compromise data confidentiality, perform cross-site scripting (XSS), and conduct cross-site request forgery (CSRF) attacks.

Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability, allowing authenticated attackers to execute arbitrary SQL commands through crafted POST requests.

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability (CVE-2018-25380) that allows authenticated attackers to execute arbitrary SQL commands via crafted POST requests, potentially leading to sensitive data exposure.

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities, allowing attackers to inject malicious code through profile fields and POST parameters, potentially leading to information disclosure or arbitrary code execution.

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37226) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter via POST requests, potentially leading to sensitive data extraction.

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37224) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter, potentially leading to sensitive information disclosure.

Joomla com_fabrik 3.9.11 is vulnerable to a directory traversal attack (CVE-2020-37219) where an unauthenticated attacker can list arbitrary files by manipulating the folder parameter in a GET request to the onAjax_files method, using path traversal sequences to access system directories outside the web root.

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter.

Balbooa Joomla Forms Builder version 2.0.6 is vulnerable to unauthenticated SQL injection via POST requests to the com_baforms component, allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information by manipulating the 'id' parameter in a JSON payload.