Convert Forms
Monthly
Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.
A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Convert Forms extension before 2.0.4 for Joomla!. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.
A SQL injection vulnerability in the Convert Forms component versions 1.0.0-1.0.0 - 4.4.9 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the submission. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Reflected Cross site scripting vulnerability in Convert Forms component for Joomla in versions before 4.4.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Convert Forms extension before 2.0.4 for Joomla!. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.