• Project: Joomla!
  • SubProject: CMS
  • Severity:Low
  • Versions: 3.7.0 through 3.8.1
  • Exploit type: Information Disclosure
  • Reported Date: 2017-May-17
  • Fixed Date: 2017-November-07
  • CVE Number:CVE-2017-16633

Description

A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.

Affected Installs

Joomla! CMS versions 3.7.0...

HDW Player,4.0.0 and all other versions, remote code execution

Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that this extension should be regarded as malicious and...

  • Project: Joomla!
  • SubProject: CMS
  • Severity:Low
  • Versions: 3.7.0 through 3.7.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-August-4
  • Fixed Date: 2017-September-19
  • CVE Number:CVE-2017-14595

Description

A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.

Affected Installs

Joomla!...

Google Maps by Reumer, from mapsplugin.com, version 3.5, malicious update

Version 3.3 of this plugin is listed in the JED and appears to be clean. However once installed, the Joomla update manager prompts you to update this extension to a version 3.5 (which is not officially published). This version contains hidden backlinks and potential backdoor,...

  • Project: Joomla!
  • SubProject: CMS
  • Severity:Medium
  • Versions: 1.5.0 through 3.7.5
  • Exploit type: Information Disclosure
  • Reported Date: 2017-July-27
  • Fixed Date: 2017-September-19
  • CVE Number:CVE-2017-14596

Description

Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.

Affected Installs

Joomla! CMS versions...