Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks using the logo parameter of the default templates.
Advisories for Composer/Joomla/Joomla-Cms package
2022
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.