基础信息
项目名称:joomla/joomla-cms
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1719254201543737344/1719254205050175488
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| 低危 | ||||
| Joomla 路径遍历漏洞 | 路径遍历 | MPS-2021-2536 | CVE-2021-26028 | 中危 |
| TinyMCE 安全漏洞 | XSS | MPS-eotc-m5x4 | CVE-2023-45818 | 中危 |
| Tiny Technologies TinyMCE 安全漏洞 | XSS | MPS-gpyx-i472 | CVE-2023-45819 | 中危 |
| PostCSS 安全漏洞 | 注入 | MPS-y3tx-jzms | CVE-2023-44270 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| joomla/archive | 3.0.0 | 3.9.25 | 间接依赖 | 可选修复 |
| tinymce | 6.7.0 | 6.7.1 | 间接依赖 | 可选修复 |
| postcss | 8.4.30 | 8.4.31 | 间接依赖 | 可选修复 |
| enshrined/svg-sanitize | 0.15.4 | 0.16.0 | 间接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 141 | 低 |
| BSD-3-Clause | 9 | 低 |
| Apache-2.0 | 2 | 低 |
| ISC | 4 | 低 |
| GPL-2.0-or-later | 2 | 低 |
| W3C | 1 | 低 |
| CC0-1.0 | 1 | 低 |
| 0BSD | 1 | 低 |
| BSD | 1 | 低 |
| BSD-2-Clause | 1 | 低 |
| LGPL-2.1 | 1 | 中 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| @lezer/lr | 1.3.10 | 间接依赖 | npm |
| symfony/ldap | v6.3.0 | 间接依赖 | composer |
| mark.js | 8.11.1 | 间接依赖 | npm |
| laminas/laminas-diactoros | 2.25.2 | 间接依赖 | composer |
| dom-walk | 0.1.2 | 间接依赖 | npm |
| joomla/console | 3.0.0 | 间接依赖 | composer |
| joomla/database | 3.0.0 | 间接依赖 | composer |
| @codemirror/view | 6.17.1 | 间接依赖 | npm |
| fuse.js | 3.6.1 | 间接依赖 | npm |
| diff | 5.1.0 | 间接依赖 | npm |
| @lezer/php | 1.0.1 | 间接依赖 | npm |
| jquery-migrate | 3.4.1 | 间接依赖 | npm |
| jakeasmith/http_build_url | 1.0.1 | 间接依赖 | composer |
| voku/portable-ascii | 2.0.1 | 间接依赖 | composer |
| punycode | 2.3.0 | 间接依赖 | npm |
| jquery | 3.7.1 | 间接依赖 | npm |
| doctrine/inflector | 1.4.4 | 间接依赖 | composer |
| vue-focus-lock | 2.0.5 | 间接依赖 | npm |
| @codemirror/search | 6.5.2 | 间接依赖 | npm |
| psr/event-dispatcher | 1.0.0 | 间接依赖 | composer |
| joomla/input | 3.0.0 | 间接依赖 | composer |
| joomla/uri | 3.0.0 | 间接依赖 | composer |
| joomla/application | 3.0.0 | 间接依赖 | composer |
| web-token/signature-pack | 3.2.8 | 间接依赖 | composer |
| web-token/jwt-signature-algorithm-hmac | 3.2.8 | 间接依赖 | composer |
| joomla/oauth2 | 3.0.0 | 间接依赖 | composer |
| maximebf/debugbar | v1.19.0 | 间接依赖 | composer |
| joomla/filter | 3.0.0 | 间接依赖 | composer |
| psr/link | 1.1.1 | 间接依赖 | composer |
| jfcherng/php-mb-string | 2.0.1 | 间接依赖 | composer |
| symfony/console | v6.3.4 | 间接依赖 | composer |
| vue-demi | 0.13.11 | 间接依赖 | npm |
| joomla/event | 3.0.0 | 间接依赖 | composer |
| joomla/archive | 3.0.0 | 间接依赖 | composer |
| @lezer/markdown | 1.1.0 | 间接依赖 | npm |
| joomla/session | 3.0.0 | 间接依赖 | composer |
| voku/portable-utf8 | 6.0.13 | 间接依赖 | composer |
| joomla-ui-custom-elements | 0.2.0 | 间接依赖 | npm |
| wamania/php-stemmer | v3.0.1 | 间接依赖 | composer |
| joomla/utilities | 3.0.0 | 间接依赖 | composer |
| focus-lock | 0.11.6 | 间接依赖 | npm |
| psr/container | 1.1.2 | 间接依赖 | composer |
| source-map-js | 1.0.2 | 间接依赖 | npm |
| bootstrap | 5.3.2 | 间接依赖 | npm |
| lcobucci/clock | 3.0.0 | 间接依赖 | composer |
| joomla/router | 3.0.0 | 间接依赖 | composer |
| focus-visible | 5.2.0 | 间接依赖 | npm |
| MSVCRT.dll | 间接依赖 | ||
| @lezer/json | 1.0.1 | 间接依赖 | npm |
| brick/math | 0.11.0 | 间接依赖 | composer |
| @lezer/xml | 1.0.2 | 间接依赖 | npm |
| joomla/filesystem | 3.0.0 | 间接依赖 | composer |
| paragonie/sodium_compat | v1.20.0 | 间接依赖 | composer |
| tippy.js | 6.3.7 | 间接依赖 | npm |
| phpseclib/phpseclib | 3.0.23 | 间接依赖 | composer |
| symfony/service-contracts | v2.5.2 | 间接依赖 | composer |
| web-auth/metadata-service | 4.5.2 | 间接依赖 | composer |
| flatted | 3.2.7 | 间接依赖 | npm |
| joomla/data | 3.0.0 | 间接依赖 | composer |
| symfony/polyfill-php72 | 间接依赖 | composer | |
| defuse/php-encryption | v2.4.0 | 间接依赖 | composer |
| @babel/runtime | 7.22.15 | 间接依赖 | npm |
| enshrined/svg-sanitize | 0.15.4 | 间接依赖 | composer |
| psr/http-factory | 1.0.2 | 间接依赖 | composer |
| regenerator-runtime | 0.14.0 | 间接依赖 | npm |
| symfony/web-link | v6.3.0 | 间接依赖 | composer |
| crelt | 1.0.6 | 间接依赖 | npm |
| @lezer/html | 1.3.6 | 间接依赖 | npm |
| @webcomponents/webcomponentsjs | 2.8.0 | 间接依赖 | npm |
| web-auth/cose-lib | 4.2.3 | 间接依赖 | composer |
| dragula | 3.7.3 | 间接依赖 | npm |
| estree-walker | 2.0.2 | 间接依赖 | npm |
| paragonie/random_compat | 间接依赖 | composer | |
| @lezer/common | 1.0.4 | 间接依赖 | npm |
| fig/link-util | 1.2.0 | 间接依赖 | composer |
| tobscure/json-api | dev-joomla-backports | 间接依赖 | composer |
| @codemirror/language | 6.9.0 | 间接依赖 | npm |
| @claviska/jquery-minicolors | 2.3.6 | 间接依赖 | npm |
| symfony/polyfill-intl-grapheme | v1.28.0 | 间接依赖 | composer |
| symfony/uid | v6.3.0 | 间接依赖 | composer |
| symfony/error-handler | v6.3.2 | 间接依赖 | composer |
| atoa | 1.0.0 | 间接依赖 | npm |
| global | 4.4.0 | 间接依赖 | npm |
| vuex-persist | 3.1.3 | 间接依赖 | npm |
| @codemirror/lang-css | 6.2.1 | 间接依赖 | npm |
| redux | 4.2.1 | 间接依赖 | npm |
| spomky-labs/pki-framework | 1.1.0 | 间接依赖 | composer |
| algo26-matthias/idna-convert | v3.1.0 | 间接依赖 | composer |
| typo3/phar-stream-wrapper | v3.1.7 | 间接依赖 | composer |
| @codemirror/lang-html | 6.4.6 | 间接依赖 | npm |
| magic-string | 0.25.9 | 间接依赖 | npm |
| composer/ca-bundle | 1.3.7 | 间接依赖 | composer |
| symfony/string | v6.3.2 | 间接依赖 | composer |
| @codemirror/lang-php | 6.0.1 | 间接依赖 | npm |
| short-and-sweet | 1.0.4 | 间接依赖 | npm |
| web-token/jwt-signature-algorithm-experimental | 3.2.8 | 间接依赖 | composer |
| @codemirror/lang-markdown | 6.2.0 | 间接依赖 | npm |
| @vue/compiler-dom | 3.2.45 | 间接依赖 | npm |
| svg4everybody | 2.1.9 | 间接依赖 | npm |
| tslib | 2.6.2 | 间接依赖 | npm |
| joomla/language | 3.0.0 | 间接依赖 | composer |
| choices.js | 9.1.0 | 间接依赖 | npm |
| KERNEL32.dll | 间接依赖 | ||
| @codemirror/commands | 6.2.5 | 间接依赖 | npm |
| process | 0.11.10 | 间接依赖 | npm |
| @lezer/highlight | 1.1.6 | 间接依赖 | npm |
| joomla/http | 3.0.0 | 间接依赖 | composer |
| style-mod | 4.1.0 | 间接依赖 | npm |
| w3c-keyname | 2.2.8 | 间接依赖 | npm |
| sourcemap-codec | 1.4.8 | 间接依赖 | npm |
| vuex | 4.1.0 | 间接依赖 | npm |
| accessibility | 3.0.17 | 间接依赖 | npm |
| @popperjs/core | 2.11.8 | 间接依赖 | npm |
| spomky-labs/cbor-php | 3.0.2 | 间接依赖 | composer |
| @codemirror/autocomplete | 6.9.0 | 间接依赖 | npm |
| web-token/jwt-signature | 3.2.8 | 间接依赖 | composer |
| min-document | 2.19.0 | 间接依赖 | npm |
| custom-event | 1.0.1 | 间接依赖 | npm |
| joomla/authentication | 3.0.0 | 间接依赖 | composer |
| joomla/crypt | 3.0.0 | 间接依赖 | composer |
| @floating-ui/dom | 1.5.1 | 间接依赖 | npm |
| jfcherng/php-color-output | 3.0.0 | 间接依赖 | composer |
| @lezer/javascript | 1.4.7 | 间接依赖 | npm |
| contra | 1.9.4 | 间接依赖 | npm |
| @codemirror/lang-javascript | 6.2.1 | 间接依赖 | npm |
| source-map | 0.6.1 | 间接依赖 | npm |
| joomla/oauth1 | 3.0.0 | 间接依赖 | composer |
| postcss | 8.4.30 | 间接依赖 | npm |
| @vue/devtools-api | 6.5.0 | 间接依赖 | npm |
| ticky | 1.0.1 | 间接依赖 | npm |
| @codemirror/lang-xml | 6.0.2 | 间接依赖 | npm |
| psr/http-message | 1.1 | 间接依赖 | composer |
| @floating-ui/core | 1.4.1 | 间接依赖 | npm |
| hotkeys-js | 3.12.0 | 间接依赖 | npm |
| joomla/di | 3.0.0 | 间接依赖 | composer |
| @babel/parser | 7.22.16 | 间接依赖 | npm |
| @vue/runtime-dom | 3.2.45 | 间接依赖 | npm |
| phpseclib/bcmath_compat | 2.0.1 | 间接依赖 | composer |
| willdurand/negotiation | 3.1.0 | 间接依赖 | composer |
| web-token/jwt-signature-algorithm-rsa | 3.2.8 | 间接依赖 | composer |
| nanoid | 3.3.6 | 间接依赖 | npm |
| @floating-ui/utils | 0.1.1 | 间接依赖 | npm |
| psr/http-client | 1.0.3 | 间接依赖 | composer |
| @lezer/css | 1.1.3 | 间接依赖 | npm |
| web-auth/webauthn-lib | 4.5.2 | 间接依赖 | composer |
| skipto | 4.1.7 | 间接依赖 | npm |
| cropperjs | 1.6.1 | 间接依赖 | npm |
| dragonmantank/cron-expression | v3.3.3 | 间接依赖 | composer |
| dotenv | 16.3.1 | 间接依赖 | npm |
| tinymce | 6.7.0 | 间接依赖 | npm |
| roboto-fontface | 0.10.0 | 间接依赖 | npm |
| metismenujs | 1.4.0 | 间接依赖 | npm |
| symfony/polyfill-intl-normalizer | v1.28.0 | 间接依赖 | composer |
| webmozart/assert | 1.11.0 | 间接依赖 | composer |
| chosen-js | 1.8.7 | 间接依赖 | npm |
| psr/log | 3.0.0 | 间接依赖 | composer |
| @vue/server-renderer | 3.2.45 | 间接依赖 | npm |
| symfony/polyfill-ctype | v1.28.0 | 间接依赖 | composer |
| symfony/yaml | v6.3.3 | 间接依赖 | composer |
| @fortawesome/fontawesome-free | 6.4.2 | 间接依赖 | npm |
| shepherd.js | 11.2.0 | 间接依赖 | npm |
| @codemirror/state | 6.2.1 | 间接依赖 | npm |
| jfcherng/php-sequence-matcher | 4.0.3 | 间接依赖 | composer |
| qrcode-generator | 1.4.4 | 间接依赖 | npm |
| joomla/registry | 3.0.0 | 间接依赖 | composer |
| jfcherng/php-diff | 6.15.3 | 间接依赖 | composer |
| web-token/jwt-core | 3.2.8 | 间接依赖 | composer |
| symfony/polyfill-uuid | v1.28.0 | 间接依赖 | composer |
| csstype | 2.6.21 | 间接依赖 | npm |
| symfony/polyfill-iconv | v1.28.0 | 间接依赖 | composer |
| web-token/jwt-signature-algorithm-ecdsa | 3.2.8 | 间接依赖 | composer |
| @vue/runtime-core | 3.2.45 | 间接依赖 | npm |
| @vue/reactivity | 3.2.45 | 间接依赖 | npm |
| google/recaptcha | 1.3.0 | 间接依赖 | composer |
| @vue/shared | 3.2.45 | 间接依赖 | npm |
| mediaelement | 5.1.1 | 间接依赖 | npm |
| phpmailer/phpmailer | v6.8.1 | 间接依赖 | composer |
| psr/clock | 1.0.0 | 间接依赖 | composer |
| symfony/deprecation-contracts | v3.3.0 | 间接依赖 | composer |
| @vue/compiler-ssr | 3.2.45 | 间接依赖 | npm |
| web-token/jwt-signature-algorithm-none | 3.2.8 | 间接依赖 | composer |
| web-token/jwt-signature-algorithm-eddsa | 3.2.8 | 间接依赖 | composer |
| es-module-shims | 1.8.0 | 间接依赖 | npm |
| vue | 3.2.45 | 间接依赖 | npm |
| paragonie/constant_time_encoding | v2.6.3 | 间接依赖 | composer |
| @vue/compiler-sfc | 3.2.45 | 间接依赖 | npm |
| symfony/polyfill-mbstring | v1.28.0 | 间接依赖 | composer |
| deepmerge | 4.3.1 | 间接依赖 | npm |
| awesomplete | 1.1.5 | 间接依赖 | npm |
| @joomla/joomla-a11y-checker | 1.0.0 | 间接依赖 | npm |
| php5ts.dll | 间接依赖 | ||
| picocolors | 1.0.0 | 间接依赖 | npm |
| symfony/var-dumper | v6.3.4 | 间接依赖 | composer |
| @codemirror/lint | 6.4.1 | 间接依赖 | npm |
| symfony/options-resolver | v6.3.0 | 间接依赖 | composer |
| crossvent | 1.5.5 | 间接依赖 | npm |
| @codemirror/lang-json | 6.0.1 | 间接依赖 | npm |
| lcobucci/jwt | 4.3.0 | 间接依赖 | composer |
| joomla/string | 3.0.0 | 间接依赖 | composer |