Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.

Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.

Inadequate parsing of URLs could result into an open redirect.

The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified.

SQLi vulnerability in S5 Register module for Joomla.

The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team Slideshow, Image Slider by 2J plugin <= 1.3.54 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay Lulia wSecure Lite plugin <= 2.5 versions.

The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twoj_slideshow_setup' function called via the wp_ajax_twoj_slideshow_setup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers (Subscriber, or above level access) to allow attackers to perform otherwise restricted actions and subsequently deactivate any plugins on the blog.

An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.