The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks.
Joomla! CMS versions 3.0.0 through 3.9.4
Upgrade to version 3.9.5
The JSST at the Joomla! Security Centre.
The "refresh list of helpsites" endpoint of com_users lacks access checks, allowing calls from unauthenticated users.
Joomla! CMS versions 3.2.0 through 3.9.4
The Media Manager component does not properly sanitise the folder parameter, allowing attackers to act outside the media manager root directory.
Joomla! CMS versions 1.5.0 through 3.9.4
The sample data plugins lack ACL checks, allowing unauthorized access.
Joomla! CMS versions 3.8.0 through 3.9.3
Upgrade to version 3.9.4
The media form field lacks escaping, leading to a XSS vulnerability.
Joomla! CMS versions 3.2.0 through 3.9.3