Joomla — CWE-79

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

Lack of output escaping for article titles leads to XSS vectors in various locations.

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla.

Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla.

Lack of output escaping leads to a XSS vector in the pagebreak plugin.

Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

A unauthenticated reflected XSS vulnerability in VirtueMart 1.0.0-4.4.10 for Joomla was discovered.

Improper handling of input could lead to an XSS vector in the checkAttribute method of the input filter framework class.

A stored XSS vulnerability in Quantum Manager component 1.0.0-3.2.0 for Joomla was discovered. File names are not properly escaped.

A stored XSS vulnerability in Quantum Manager component 1.0.0-3.2.0 for Joomla was discovered. The SVG upload feature does not sanitize uploads.

A stored XSS vulnerability in No Boss Testimonials component 1.0.0-3.0.0 and 4.0.0-4.0.2 for Joomla was discovered.

A stored XSS vulnerability in CommentBox component 1.0.0-1.1.0 for Joomla was discovered.

A stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla was discovered.

A stored XSS vulnerability in ProFiles component 1.0-1.5.0 for Joomla was discovered.

A Reflected XSS vulnerability in DJ-Reviews component 1.0-1.3.6 for Joomla was discovered.

A stored XSS vulnerability in the RSBlog! component 1.11.6-1.14.5 Joomla was discovered. The issue allows remote authenticated users to inject arbitrary web script or HTML via the jform[tags_text] parameter.

A stored XSS vulnerability in the RSDirectory! component 1.0.0-2.2.8 Joomla was discovered. The issue allows remote authenticated attackers to inject arbitrary web script or HTML via the review reply component.

A reflected XSS vulnerability in RSMail! component 1.19.20 - 1.22.26 28 Joomla was discovered. The issue allows remote attackers to inject arbitrary web script or HTML via the crafted parameter.

A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items.

A stored XSS vulnerability in RSTickets! component 1.9.12 - 3.3.0 for Joomla was discovered. It allows attackers to perform cross-site scripting (XSS) attacks via sending crafted payload.

A stored XSS vulnerability in RSMail! component 1.19.20 - 1.22.26 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript code into text fields or ot…

A stored XSS vulnerability in RSBlog! component 1.11.6 - 1.14.4 for Joomla was discovered. The vulnerability allows authenticated users to inject malicious JavaScript into the plugin's resource. The injected payload is stored by the application and later executed when other users view the affected c…

A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filter[dateFrom] GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin or…

Lack of output escaping in the id attribute of menu lists.

Various module chromes didn't properly process inputs, leading to XSS vectors.

A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component < 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in…

Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8.

The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

XSS vulnerability in DJ-HelpfulArticles component for Joomla.

The wrapper extensions do not correctly validate inputs, leading to XSS vectors.

The Custom Fields component not correctly filter inputs, leading to a XSS vector.

Improper handling of input could lead to an XSS vector in the StringHelper::truncate method.

The fancyselect list field layout does not correctly escape inputs, leading to a self-XSS vector.

Inadequate input validation leads to XSS vulnerabilities in the accessiblemedia field.

XSS vulnerability in DP Calendar component for Joomla.

Inadequate content filtering leads to XSS vulnerabilities in various components.

Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, fro…

Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can cra…

Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties…

Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling …

A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla.

A reflected XSS vulnerability was discovered in the Clicky Analytics Dashboard module for Joomla.

A reflected XSS vulnerability was discovered in the Joomdoc component for Joomla.

A reflected XSS vulnerability was discovered in the Quickform component for Joomla.

A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla.

A reflected XSS vulnerability was discovered in the Extplorer component for Joomla.

A reflected XSS vulnerability was discovered in the LivingWord component for Joomla.

Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in advcomsys.com oneVote component for Joomla. It allows XSS Targeting Non-Script Elements.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in advcomsys.com oneVote component for Joomla. It allows XSS Targeting Non-Script Elements.

An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.