Actions

Archived

Archived vel

From Joomla! Documentation

(Redirected from Archived vel)


For instructions on how to use this list, see the main page. Basically a red box = BAD

Contents

Pre Jan 2011

Extension Details Date Added Extension Update Link & Date

myblog controller

LFI

http://www.azrul.com/

010710 MyBlog 3.0.332

J!Dump v1.1.2

LFI in J!Dump v1.1.2 and before 060111 The extension is fixed in

version 1.1.3 070111


xmovie 1.0

xmovie 1.0 LFi 010111 v1.1 is a security release.

Easy File Uploader

LFI - http://extensions.joomla.org/extensions/core-enhancements/file-management/11909 090111 Fixed MIME type tamper vulnerability http://michaelgilkes.info/joomla-plugin-easy-file-uploader 2011-01-10

akeebabackup admin tools

xss 181210 http://www.akeebabackup.com/home/item/929-security-release-admin-tools-1-1.html devs update statement

aicontactsafe

XSS for versions 2.0.13 and below 161210 dev release 2.0.14

JRadio

JRadio LFI/SID 161210 http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56 developer fix statement

JE Auto

JE Auto 1.0 SQL I 091210 developers bug fix statement

jxtended comments

xss 081210 dev notice update to 1.3.1

sh404SEF

sqlI 301110 dev post of resolution

JE Ajax Event Calendar

SQL I (relist) 251110 Dev states resolved,

mosets tree

mosets tree various 181110 dev release 2.1.8 http://forum.mosets.com/showthread.php?t=17064

JQuarks 4 survey 1.0.0

SQLi 091110 developer statement updated to version 1.0.1 101110

RSform! 1.0.5

Multiple vulnerabilities - LFI, SQLi 061110 developer announcement of security releaseto 1.0.6 091110

ccinvoices

SQLi for ccinvoices 051110 Developer Upgrade release to ccInvoices_110RC3 061110

K2 joomlaworks

http://getk2.org/ k2 xss version 2.4.1

Mosets Tree 2.1.5

Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI developer relase statement and change log

JE FAQ Pro

Je faq pro various reports 090910 Developer update notice

Gantry Framework

SQli injection 050910 Update to 3.0.11

JE FAQ Pro

SID 020910 Developer update notice

Graffiti Wall

Graffiti Wall for jomsocial silent 777 310710 Dev statement 1.1 - is security release. Folder permission was set by default as 777 that is unsecure.

Spielothek

http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation 290710 Dev states version 1.7.1 resolves issues 020810

Aardvertiser

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777 290710 dev announces silent 0777 fixed in Version 2.1 290710

FW Real Estate Light

http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777 290710 version 1.1 reported as fixed 777 issue

jDownloads

http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting 2807110 1.7.4 RC3 Build 771 update on Jul 29 to remove 0777

TTVideo

TTVideo 1.0 Joomla SQL Injection Vulnerability 270710 dev updated the component to prevent this. 280710

Users are no longer able to download the previous version.

frei-chat2.0

http://code.google.com/p/frei-chat/downloads/list xss vulnerability 230710 Dev announcement to fix 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710

QContacts

http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 Version: 1.0.4 reported, current version 1.0.6 220710 Devloper states unproven report and no POC

mysms

http://www.willcodejoomlaforfood.de/ Upload Vulnerability july 10,2010 290710 released the version 1.5.12.

EasyBlog

http://stackideas.com/products/easyblog.html xss (new report) july 10,2010 developer reported fix available on site

redshop light

http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli 110710 Developer reported fix and upgrade to RC2

Music Manager

LFI music manager 090710 Version 0.13 released

NeoRecruit

neojoomla.com SQL Injection neorecruit vers 1.4 060710 dev statement of fix in 1.4.1 and safe 2.0.5

Jobs Pro

instantphp.com/ Sqli 060710 devs announcement of fix 130710

JPodium

http://www.jpodium.de/ SQL Injection 060710 Devs statement as to not proven

Front-End Article Manager System

http://b-elektro.no/ Upload Vulnerability 040710 dev states resolved

addressbook

http://b-elektro.no/ Upload Vulnerability 040710 dev states resolved

NijnaMonials

http://ninjaforge.com/ Sqli Vulnerability 040710 070410 Discovered to be malicious/false report see devs notice

Phoca Gallery

SQL I (wrong download location in report) 040710 deemed malicious report


socialads

techjoomla.com/ Xss Vulnerability 040710 Developers resolved statement

joomanager

SQli Vulnerability

http://www.joomanager.com

010710 developer release statement 260311


gamesbox

SQL Injection Vulnerability

http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox

010710 upgrade to 1.0.10

Remository

http://remository.com/ LFI (proc) 010710 Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710

RokBridge 1.0rc12

http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI 090810 RokBridge has been updated to version 1.0rc13. 120810

jomsocial

Version: 1.6.288 Multiple XSS 210610 1.6.291 released 220610

DOCman

DOCman 1.5.7 DOCman 1.4.0 none specific exploit 210610 developer announcement

eportfolio

http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability 200610 Developer announcement 270810

Super Messenger

axxis.gr xss 190610 developer release statement 1.4.6

RSComments 1.0.0

Persistent XSS NOTE: ONLY executes in backend! 190610 Developer update announcement 210610


RSComments 1.0.0

RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted) 180610 Developer update announcement 210610

PowerMail Pro

PowerMail Pro Local File Inclusion Vulnerability Dev upadte statement 151010

Magic Updater

http://software.realtyna.com/ RFI 170610 [1] developer update statement

Search Log

http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi 080610 Developer cited update to version 3.1.1 100710

iJoobi

jtickets, jsubscription SQL Injection Vulnerability,

jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection,

090610 developer states unproven

MyCar

http://www.unisoft.me/extensions/ sqli ID Dev announcement update to 1.1

BF Quiz

SQL Injection Exploit Version(s) = 1.3.0 Developer update to BF Quiz v1.3.1

Ozio Gallery 2

DT and open email relay 280510 Developer update and security release 010610

RS Comments

XSS Vulnerability - fix posted 210510


BCA RSS Feed

LFI and other vulnerabilities Upgrade to Ninja RSS Syndicator 1.0.9 or later

SimpleDownload

http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits 160510 updated version (version 0.9.6)

Aardvertiser

Local File Inclusion Vulnerability

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454

see resolved notice 040810

FDione Form Wizard

lfi vulnerability 140510 200510 Update to Dione Form Wizard (v. 1.0.4).

Custom PHP Pages

http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability Developer declares not vulnerable 140510

iJoomla News Portal

RFI SID Update to 1.5.10

article Factory Manager

RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html may 2010 can not reproduce and unproven, http://www.thefactory.ro

Table JX Component

http://www.toolsjx.com/ Table JX Component XSS 060510 - update 130510 Version: 1.5.5 considered unsafe, update to 1.5.7

ABC

ABC SQL Injection Vulnerability reported as updated to JED 290410

huruhelpdesk

http://www.huruhelpdesk.net sqli injection Reported fix

JTM Reseller

TM Reseller SQL injection vulnerability Developer Update

media Mall Factory

SQLi 200410 Solution: update to 1.0.5

Gadget Factory

LFi 200410 Solution: update to 1.5.1

Deluxe Blog Factory

SQLi 200410 update to 1.1.2

com properties

http://com-property.com/ SQL I developer announced fix

Multi-Venue Restaurant Menu Manager (MVRMM)

http://www.focusdev.co.uk/ 120410 Version 1.5.2 Stable Update 4

TRAVELbook

http://www.demo-page.de/ 120410 developers resolution notice 1.0.2

AlphaUserPoints

developer upgrade

CKForms

1.3.4 release - Important LFI security fix [2] 07-04-10 upgrade

smestorage

SMEStorage LFI Updated 29 March 10 developer fix to 1.1

JE Tooltip

JE Tooltip LFI Updated 23 March

Gift Exchange Beta

Gift exchange SQLi Updated 23 March upgrade beta 1.0.1

RokDownloads

[LFI] 15 march 2010 upgrade to version 1.0

juliaportfolio

LFI juliaportfolio 13 march 2010 withdrawal and update notice

Flash Magazine Deluxe

SQL Injection Vulnerability. Feb 25 Developer Update Version 2.0.11 09/03/10

Scriptegrator

Core Design Scriptegrator RFI exploit Feb 20 Dev Upgrade announcement

AllVideos 3.1

A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]|

17 Feb Version 3.3 release 18th

RW Cards

RW Card LFI and ID exploit Dev Site 180210 developer update

Autartitarot

Directory Traversal. Back end access required Feb 05 Please upgrade to version 1.0.4

communitypolls

LFI - community polls Feb 17 upgrade to version 1.5.3



Pre Dec 2010

Extension Details Reference Link Extension Update Link
com_ajaxchat Summary: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.New version release December 22,2009

Published: october 28 2009

CVE-2009-3822 update v 1.1
com_booklibrary PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 10/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3817 developer site updates
com_foobla_suggestions Summary: SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.

Published: 10/11/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3669 developer reported upgrade
com_djcatalog Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.

Published: 10/11/2009 CVSS Severity: 6.8 (MEDIUM)

CVE-2009-3661 Not Known
com_cbresumebuilder Summary: SQL injection vulnerability in the JoomlaCache CB Resume Builder ('com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.

Published: 10/09/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3645 Developer Update
com_soundset Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.

Published: 10/09/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3644 Not Known
com_sportfusion Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.

Published: 09/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3491 Not Known
com_icrmbasic Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 09/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3481 Not Known
com_mytube Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3446 Not Known
com_fastball Summary: SQL injection vulnerability in the Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3443 latest version 1.2.1
com_facebook Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3438 Not Known
com_tupinambis Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3434 Not Known
com_idoblog Summary: SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.

Published: 09/25/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3417 New Version v 1.1 (build 32)
com_hbssearch Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.

Published: 09/24/2009 CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3368 Not Known
com_hbssearch Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3357 Not Known
com_alphauserpoints Summary: SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3342 1.5.3
TurtuShout Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3335 Not Known
com_jinc Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3334 Not Known
com_jbudgetsmagic Summary: SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3332 Update to 0.4.1
com_surveymanager Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3325 Not Known
com_album Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3318 Not Known
com_jreservation Summary: SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3316 Updated 28th Jan fixed 13th Nov
IXXO Cart Standalone Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.

Published: 09/16/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3215 Not Known
com_digifolio Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.

Published: 09/15/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3193 Not Known
com_aclassf Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.

Published: 09/10/2009 CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3155 Not Known
com_aclassf Summary: SQL injection vulnerability in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than CVE-2009-2567.

Published: 09/10/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3154 Developer latest component
com_jabode Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.

Published: 09/08/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-7169 Not Known
com_gameserver Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.

Published: 09/03/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3063 Not Known
com_artportal Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.

Published: 09/03/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3054 Not Known
com_agora Summary: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.

Published: 09/03/2009 CVSS Severity: 6.8 (MEDIUM)

CVE-2009-3053 3.0.7
com_simpleshop Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.

Published: 08/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-7033 Not Known
com_groups Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 08/17/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-2789 Not Known
com_content Summary: SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.

Published: 08/10/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6923 Resolution
com_livechat Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6883 Not Known
com_livechat Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6882 Not Known
com_livechat Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6881 Not Known
JUMI There is a backdoor in JUMI that installs itself when JUMI is installed on your web site. It sends your credentials to a website, and sets up a back door for remote code execution.

Please remove JUMI2.0.5 immediately. It will be simple enough to remove the compromised code from this download, but you need to do a full security audit on your site as well as you have been compromised. Added November 2009

Report Jumi Update
com_photoblog Input Validation Error Added November 2009 36809 webguerilla Photoblog alpha 3b
com_jshop Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.

Published: 11/02/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3835 Not Known
BF Survey Pro Summary: SQL injection vulnerability in the BF Survey Pro v1.2.5 or lower (fixed in version 1.2.6). BF Survey Basic v1.0 (fixed in version 1.1). BF Quiz v1.1.1 (fixed in version 1.2 or greater) Added November 2009 tamlyncreative.com.au update
Joo!BB 0.9.1 Summary: Persistent XSS/MySQL Injection vulnerabilities in Joo!BB 0.9.1 Added November 2009 joob.org update
sh404sef Summary: sh404sef URI XSS Vulnerability Added November 2009 jeffchannell.com update
AWD Wall 1.5 Summary AWD Wall 1.5 Blind SQL Injection Vulnerability.The Joomla component AWD Wall 1.5 suffers from an SQL Injection vulnerability in its handling of the 'cbuser' parameter.Added November 2009 Notice developer update
EasyBook 2.0.0rc4 Summary: The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009 Alert Not Known
F!BB 1.5.96 Summary: The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009 Alert Not Known
Testimonial Ku 2.0 Admin Panel Summary: The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009 Alert Not Known
MS Comment 0.8.0b Summary MS Comment 0.8.0b for Joomla, a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009 Alert Not Known
!JoomlaComment 4.0 beta1 Summary: !JoomlaComment 4.0 beta1, a commenting plugin, suffers from multiple XSS vulnerabilities. Added November 2009 Alert ' Developer Notice 4.0 rc1
WebAmoeba Ticket System 3.0.0 Summary: WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009 Alert Not Known
Kunena 1.5.x Summary: This is an important security release and users are urged to update immediately. Five security issues and an Internet Explorer 8 table bug have been resolved in this release. This release also contains many other important bug fixes. Added 18 November 2009 Advisory Latest 1.5.8 Version
com_siirler Summary: SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009 CVE-2009-3972 Not Known
jTips (com_jtips) SUmmary:SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009 CVE-2009-3971 Not Known
NinjaMonials Summary: SQL injection vulnerability in the NinjaMonials (com_ninjacentral) component 1.1.0 for Joomla 1.0.x ! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php. Added 18 November 2009 CVE-2009-3964 developer patch Ver 1.2
webee 1.1.1 &1.2 Summary: webee 1.1.1, a Joomla commenting plugin, suffers from multiple vulnerabilities. webee has been updated to 1.2 as of 12 November 2009 and still suffers from SQL Injection. XSS was not tested in 1.2. Added 19 November 2009 jeffchannell.com developer update ver2.0
iF Portfolio Nexus Summary: The iF Portfolio Nexus component for Joomla! is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements using the id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 secunia.com 37408/ iF Portfolio Nexus v1.1.1 released
JoomClip Summary: The JoomClip component for Joomla! is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 secunia.com 37400/ Not Known
Joomla XML Summary: Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number, via a direct request.

Published: 11/16/2009

CVE-2009-3946 Resolution
Mygallery Remote SQL Injection Vulnerability Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 Joomla 1.5 NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM) [3] Not Known
Extreme Google Calendar Summary: com_gcalendar 1.1.2 (gcid) Remote SQL Injection Vulnerability

Remote SQL Injection were identified in Google Calendar Component Extension Link Added 27 Nov 2009

reference Not Known
LyftenBloggie Summary: LyftenBloggie Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009 SA37499 Un official fix. Developer fix not release at 30 Nov 09 1.0.4a (last update on Dec 28, 2009)
Sermon speaker Summary: sermon speaker sql vulnerability and password reset vulnerability version 3.2 and below Developer fix 30 Nov 2009
MusicGallery Summary: Component MusicGallery SQL Injection Vulnerability 30 November Joomla 1.5 CVE-2009-4217 developer

December 2009 Compiled Reports

Extension Details Reference Link Extension Update Link
Omilen Photo Gallery Summary: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.

Published: 12/04/2009

CVE-2009-4202 Not Known
Seminar Summary: SQL injection vulnerability in the Seminar (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.

Published: 12/04/2009

CVE-2009-4200 Not Known
Mambo Resident Summary: Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) property_uid parameter in a viewproperty action to index.php and the (2) regID parameter in a showregion action to index.php. Mambo Resident component for v4.5.2 may only be for 1.0.xx versions of J!

Published: 12/04/2009

CVE-2009-4199 Replacement Extension 08 dec 09
ProofReader Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM) CVE-2009-4157 Not Known
Laoneo Google Calendar GCalendar Summary: SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) Note: There is already a listing for GCalendar 1.1.2 CVE-2009-4099 Latest version GCalendar Suite 2.1.5
D4J eZine Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) CVE-2009-4094 Not Known
Quick News Summary: The Joomla Quick News component suffers from a remote SQL injection vulnerability. added 1st Dec 09 Reference Not Known
Joaktree component Summary: Joaktree Vulnerability : SQL injection/ added 1st Dec 09 7508 version 1.1 update
mojoblog Summary MojoBlog Multiple Remote File Include Vulnerability added 1st Dec 09 Joomla 1.5 7509 Not Known
YJ Whois Summary: YJ Whois Low security risk,and fixesMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Files affected is , modules/mod_yj_whois.php added 3 December 09 Reference Developer Notice and fix 03 dec 09
yt_color YOOOtheme Summary: YT_color yootheme Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. added 5 dec 09 Reference All members without an active membership can download the template patches here.
TP Whois summary: TP Whois Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Added 3 december Joomla 1.5 Refrence Not Known
com_job Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec Reference Not Known
JQuarks Summary: JQuarks SQL injection vulnerability Joomla 1.5 added 8th dec 09 Reference Developer Update
Mamboleto Component 2.0 RC3 Summary: Mamboleto Component 2.0 RC3SQL injection vulnerability Joomla 1.5 added 12 December Reference Not Known
JS JOBS Summary JS JOBS Joomla Component com_jsjobs 1.0.5.6 SQL Injection Vulnerabilities Joomla 1.5 added 12 December Reference Developer update 1.0.5.7
corePHP JPhoto Summary: 'corePHP' JPhotoSQL injection vulnerability Joomla 1.5 added 12 December Reference Developer Upgrade
com_virtuemart Summary: "com_virtuemart" http://virtuemart.net/ Version : 1.0 Vulnerability : SQL injection added Date : 07- dec -09 Joomla 1.5 Reference latest version
Kide Shoutbox Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08 CVE-2009-4232 Not Known
JoomPortfolio Component Summary: JoomPortfolio Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18 Joomla 1.5 Reporting Site Not Known
City Portal (templates?) Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18 Reference Possibly this tempate Not Known
Event Manager Summary: Event Manager Blind SQL Injection Vulnerability EDB-ID: 10549

added: 2009-12-18

Reference Not Known
com_zcalendar Summary: com_zcalendar Blind SQL-injection Vulnerability

EDB-ID: 10548 added: 2009-12-18

Reference Not Known
com_acmisc Summary: com_acmisc SQL injection added: 2009-12-18 Reference Not Known
com_digistore Summary: com_digistore SQL injection EDB-ID: 10546 added: 2009-12-18 Joomla 1.5 Reference Update change log
com_jbook Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18 Joomla 1.0 Reference Not Known
com_personel Summary: com_personel component for Joomla! is vulnerable to SQL injection. iss.net reference Not Known
JEEMA Article Collection Summary: JEEMA Article Collection Input passed via the "catid" parameter to index.php (when "option" is set to "com_jeemaarticlecollection" and "view" is set to "longlook") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. version 1.0.0.1 Joomla 1.5 added 22 dec 09 secunia fixed the same in the version v102.
HotBrackets Tournament Brackets Summary: The HotBrackets Tournament Brackets component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Joomla 1.5 added 22 dec Reference Not Known
Car Manager Summary: http://webformatique.com/ com_carman Cross Site Scripting Vulnerability added 24 december 09Joomla 1.5 Reference Not Known
Schools component Summary: The 'com_schools' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Reference added 24 dec 09 Not Known
webcamxp com_webcamxp Cross Site Scripting Vulnerabilities Last version 2008 Joomla 1.5 Dec 27 Reference Not Known
beeheard beeheard Blind SQL injection Vulnerability Joomla 1.5 Dec 27 Reference Version 1.4.2 04 Jan
jm-recommend jm-recommendCross Site Scripting Vulnerabilities. unable to locate on jed. Joomla 1.5 Dec 27 Reference Not Known
facileforms com_facileforms Cross Site Scripting Vulnerabilities. unable to locate on jed. Product considered retired. Joomla 1.5 Dec 27 Reference Not Known
adagency adagency Vulnerabilities Joomla 1.5 Dec 27 Reference Not Known
com_intuit com_intuitLocal File Inclusion Vulnerability Joomla 1.5 Dec. 27 Reference Retired
MemoryBook MemoryBook 1.2 Multiple Vulnerabilities. requires: magic quotes OFF, user account Joomla 1.5 Dec. 27 Reference Not Known
qpersonel qpersonel Cross Site Scripting Vulnerabilities Joomla 1.0Joomla 1.5 Dec. 27 Reference Not Known
opryknings point com_oprykningspoint_mc Cross Site Scripting Vulnerabilities Joomla 1.5 Dec. 27 Reference Not Known
trabalhe conosco com_trabalhe_conosco Cross Site Scripting Vulnerabilities Joomla 1.5 Dec. 27 Reference Not Known
DhForum com_dhforum SQL Injection Vulnerability. considered retired/EOL Dec. 27 Joomla 1.01.5 legacy Reference Not Known
com_morfeoshow morfeoshow this was a false report Reference false report
Run Digital Download rd-download RD Download Local File Disclosure Vulnerability Joomla 1.5 Dec. 30 Version affected not disclosed. Reference Version 0.9 relased

November 2009 Compiled Vulnerability Reports. RESOLVED ONLY

Items are not in any particular order.


Extension Details Reference Link Extension Update Link
com_djcatalog Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.

Published: 10/11/2009 CVSS Severity: 6.8 (MEDIUM)

CVE-2009-3661 Not Known
com_soundset Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.

Published: 10/09/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3644 Not Known
com_sportfusion Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.

Published: 09/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3491 Not Known
com_icrmbasic Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 09/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3481 Not Known
com_mytube Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3446 Not Known
com_facebook Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3438 JED entry. Download site Developer states reports not proven 24/07/10
com_tupinambis Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3434 Not Known
com_hbssearch Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.

Published: 09/24/2009 CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3368 Not Known
com_hbssearch Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3357 Not Known
TurtuShout Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3335 Not Known
com_jinc Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3334 Not Known
com_surveymanager Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3325 Not Known
com_album Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3318 Not Known
IXXO Cart Standalone Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.

Published: 09/16/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3215 Not Known
com_digifolio Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.

Published: 09/15/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3193 Not Known
com_aclassf Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.

Published: 09/10/2009 CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3155 Not Known
com_jabode Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.

Published: 09/08/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-7169 Not Known
com_gameserver Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.

Published: 09/03/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3063 Not Known
com_artportal Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.

Published: 09/03/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3054 Not Known
com_simpleshop Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.

Published: 08/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-7033 Not Known
com_groups Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 08/17/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-2789 Not Known
com_livechat Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6883 Not Known
com_livechat Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6882 Not Known
com_livechat Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6881 Not Known
com_jshop Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.

Published: 11/02/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3835 Not Known
EasyBook 2.0.0rc4 Summary: The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009 Alert

easybook reloaded released

F!BB 1.5.96 Summary: The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009 Alert Not Known
Testimonial Ku 2.0 Admin Panel Summary: The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009 Alert Not Known
MS Comment 0.8.0b Summary MS Comment 0.8.0b for Joomla, a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009 Alert Not Known
WebAmoeba Ticket System 3.0.0 Summary: WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009 Alert Not Known
com_siirler Summary: SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009 CVE-2009-3972 Not Known
jTips (com_jtips) SUmmary:SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009 CVE-2009-3971 Not Known
JoomClip Summary: The JoomClip component for Joomla! is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 secunia.com 37400/ Not Known
Mygallery Remote SQL Injection Vulnerability Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 Joomla 1.5 NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM) [4] Not Known
Extreme Google Calendar Summary: com_gcalendar 1.1.2 (gcid) Remote SQL Injection Vulnerability

Remote SQL Injection were identified in Google Calendar Component Extension Link Added 27 Nov 2009

reference Not Known
LyftenBloggie Summary: LyftenBloggie Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009 SA37499 Un official fix. Developer fix not release at 30 Nov 09 1.0.4a (last update on Dec 28, 2009)

November 2009 Compiled Vulnerability Reports.

Items are not in any particular order.


Extension Details Reference Link Extension Update Link
com_djcatalog Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.

Published: 10/11/2009 CVSS Severity: 6.8 (MEDIUM)

CVE-2009-3661 Not Known
com_soundset Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.

Published: 10/09/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3644 Not Known
com_sportfusion Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.

Published: 09/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3491 Not Known
com_icrmbasic Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 09/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3481 Not Known
com_mytube Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3446 Not Known
com_facebook Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3438 JED entry. Download site Developer states reports not proven 24/07/10
com_tupinambis Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.

Published: 09/28/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3434 Not Known
com_hbssearch Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.

Published: 09/24/2009 CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3368 Not Known
com_hbssearch Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3357 Not Known
TurtuShout Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3335 Not Known
com_jinc Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3334 Not Known
com_surveymanager Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3325 Not Known
com_album Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3318 Not Known
IXXO Cart Standalone Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.

Published: 09/16/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3215 Not Known
com_digifolio Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.

Published: 09/15/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3193 Not Known
com_aclassf Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.

Published: 09/10/2009 CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3155 Not Known
com_jabode Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.

Published: 09/08/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-7169 Not Known
com_gameserver Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.

Published: 09/03/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3063 Not Known
com_artportal Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.

Published: 09/03/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3054 Not Known
com_simpleshop Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.

Published: 08/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-7033 Not Known
com_groups Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 08/17/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-2789 Not Known
com_livechat Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6883 Not Known
com_livechat Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6882 Not Known
com_livechat Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.

Published: 07/30/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6881 Not Known
com_jshop Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.

Published: 11/02/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3835 Not Known
EasyBook 2.0.0rc4 Summary: The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009 Alert

easybook reloaded released

F!BB 1.5.96 Summary: The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009 Alert Not Known
Testimonial Ku 2.0 Admin Panel Summary: The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009 Alert Not Known
MS Comment 0.8.0b Summary MS Comment 0.8.0b for Joomla, a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009 Alert Not Known
WebAmoeba Ticket System 3.0.0 Summary: WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009 Alert Not Known
com_siirler Summary: SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009 CVE-2009-3972 Not Known
jTips (com_jtips) SUmmary:SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009 CVE-2009-3971 Not Known
JoomClip Summary: The JoomClip component for Joomla! is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 secunia.com 37400/ Not Known
Mygallery Remote SQL Injection Vulnerability Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 Joomla 1.5 NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM) [5] Not Known
Extreme Google Calendar Summary: com_gcalendar 1.1.2 (gcid) Remote SQL Injection Vulnerability

Remote SQL Injection were identified in Google Calendar Component Extension Link Added 27 Nov 2009

reference Not Known
LyftenBloggie Summary: LyftenBloggie Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009 SA37499 Un official fix. Developer fix not release at 30 Nov 09 1.0.4a (last update on Dec 28, 2009)

December 2009 Compiled Reports

Extension Details Reference Link Extension Update Link
Omilen Photo Gallery Summary: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.

Published: 12/04/2009

CVE-2009-4202 Not Known
Seminar Summary: SQL injection vulnerability in the Seminar (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.

Published: 12/04/2009

CVE-2009-4200 released V1.29, released
ProofReader Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM) CVE-2009-4157 Not Known
D4J eZine Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) CVE-2009-4094 Not Known
Quick News Summary: The Joomla Quick News component suffers from a remote SQL injection vulnerability. added 1st Dec 09 Reference Not Known
mojoblog Summary MojoBlog Multiple Remote File Include Vulnerability added 1st Dec 09 Joomla 1.5 7509 Not Known
TP Whois summary: TP Whois Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Added 3 december Joomla 1.5 Refrence Not Known
com_job Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec Reference Not Known
Mamboleto Component 2.0 RC3 Summary: Mamboleto Component 2.0 RC3SQL injection vulnerability Joomla 1.5 added 12 December Reference Not Known
Kide Shoutbox Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08 CVE-2009-4232 Not Known
JoomPortfolio Component Summary: JoomPortfolio Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18 Joomla 1.5 Reporting Site Not Known
City Portal (templates?) Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18 Reference Possibly this tempate Not Known
Event Manager Summary: Event Manager Blind SQL Injection Vulnerability EDB-ID: 10549

added: 2009-12-18

Reference Not Known
com_zcalendar Summary: com_zcalendar Blind SQL-injection Vulnerability

EDB-ID: 10548 added: 2009-12-18

Reference Not Known
com_acmisc Summary: com_acmisc SQL injection added: 2009-12-18 Reference Not Known
com_jbook Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18 Joomla 1.0 Reference Not Known
com_personel Summary: com_personel component for Joomla! is vulnerable to SQL injection. iss.net reference Not Known
HotBrackets Tournament Brackets Summary: The HotBrackets Tournament Brackets component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Joomla 1.5 added 22 dec Reference Not Known
Car Manager Summary: http://webformatique.com/ com_carman Cross Site Scripting Vulnerability added 24 december 09Joomla 1.5 Reference Not Known
Schools component Summary: The 'com_schools' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Reference added 24 dec 09 Not Known
webcamxp com_webcamxp Cross Site Scripting Vulnerabilities Last version 2008 Joomla 1.5 Dec 27 Reference Not Known
jm-recommend jm-recommendCross Site Scripting Vulnerabilities. unable to locate on jed. Joomla 1.5 Dec 27 Reference Not Known
facileforms com_facileforms Cross Site Scripting Vulnerabilities. unable to locate on jed. Product considered retired. Joomla 1.5 Dec 27 Reference Not Known
adagency adagency Vulnerabilities Joomla 1.5 Dec 27 Reference Not Known
com_intuit com_intuitLocal File Inclusion Vulnerability Joomla 1.5 Dec. 27 Reference Retired
MemoryBook MemoryBook 1.2 Multiple Vulnerabilities. requires: magic quotes OFF, user account Joomla 1.5 Dec. 27 Reference Not Known
qpersonel qpersonel Cross Site Scripting Vulnerabilities Joomla 1.0Joomla 1.5 Dec. 27 Reference Not Known
opryknings point com_oprykningspoint_mc Cross Site Scripting Vulnerabilities Joomla 1.5 Dec. 27 Reference Not Known
trabalhe conosco com_trabalhe_conosco Cross Site Scripting Vulnerabilities Joomla 1.5 Dec. 27 Reference Not Known
DhForum com_dhforum SQL Injection Vulnerability. considered retired/EOL Dec. 27 Joomla 1.01.5 legacy Reference Not Known

January 2010 Reported Vulnerable Extensions

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic or the extensions topic clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for updates or editing requests Mandville or lafrance

Back To Top


Extension Details Reference Link Extension Update Link
JvideoDirect Summary: Jvideodirect SQLi Jan 29 Update version 2.5
JEvent search plugin Summary: JEvent search plugin for JEvent SQLi reported Jan 29 upgrade to 1.5.3b
Kunena Summary: kunena re reported suffering SQLi in version 1.5.9 Jan 29 Confirmation Required Now found to be malicious Versions 1.5.5 and below only
JE Quiz Summary : http://extensions.joomla.org/extensions/contacts-and-feedback/quiz-a-surveys/11212 JeQuiz SQLi reported 29 Jan Not Known
idoblog summary: exploitable due to open file permissions. 28 Jan Private Notification build 35 released
ccnewsletter Summary ccnewsletter Directory Traversal Vulnerability Jan 28 Private Notification version 1.0.6 released 29 Jan
Virtuemart 1.1.4 Summary: virtuemart Input var order_status_id is vulnerable to SQLi NB Requires Higher Level access before exploiting. Jan 27 developer patches
JBDiary Summary: JBDiary BLIND SQL Injection Vulnerabilities Jan 24 http://www.jb-soft.nl/ Developer Update 27 Jan
JbPublishDownFp Sumary: JbPublishDownFp SQL Injection Vulnerability Jan 24 http://www.jb-soft.nl Developer Update Jan 27
com_casino Summary: com_casino

SQL Injection Vulnerabilities Jan24

Not Known
Mochigames Summary: com_Mochigames

SQL Injection Vulnerabilities Jan24

mochigames_alpha052 Released
ContentBlogList Summary: com_ContentBlogList SQL Injection Vulnerability Jan 23 Reference Not Known
MailChimp for Joomla 1.5 Summary: MailChimp for Joomla 1.5 jan 17 Developer Statement Not Known
JoomlaXML Summary: JoomlaXML malicious code insertion Not Known
JVClouds3D SWF module JVClouds3D SWF module Cross Site Scripting . jan 14 xforce Not Known
JVClouds3D JVClouds3D module Cross Site Scripting . jan 14 xforce Not Known
JA Showcase JA Showcase component Directory Traversal jan 14 xforce Not Known
jprojects Summary: Unknown Author com_j-projects Blind SQL Injection Vulnerability. Jan 10 detail update Reference Not Known
jEmbed-Embed Anything jEmbed-Embed Anything A vulnerability has been discovered in the jEmbed-Embed Anything component for Joomla, which can be exploited by malicious people to conduct SQL injection attacks. Jan 10 Secunia Advisory: SA38112 Product considered retired
perchagallery Summary: perchagallery com_perchagallery SQL Injection Vulnerability Jan 7 Reference Developer Update 1.5b
CARTwebERP Summary: CARTwebERP Local File Inclusion Vulnerability Jan. 3 Reference 1.56.76 (last update on Jan 11, 2010)
JoomlaBibleStudy Summary: JoomlaBibleStudy LFI Vulnerability Jan. 3 Reference Developer reported update
com_bfsurvey_basic and pro Summary: BFsurvey SQL Injection Vulnerability ,LFI Vulnerability Jan. 3 Reference Developer Update announcement
Alfresco Summary: SQL Injection Vulnerability. Not believed to be Joomlatools extension Jan. 3 Reference Not Known
abbrev Summary: abbrev Local File Inclusion Vulnerability Jan. 3 Reference Not Known
countries Summary: countries SQL Injection Vulnerability Jan. 3 Reference Not Known
Dedicated Component com_tpjobs Summary: tpjobs SQL Injection Vulnerability unable to locate files probably template plaza Jan. 3 Reference Developer Update
Component com_doqment SQL Injection Vulnerability Jan. 3 Reference Not Known
Component com_otzivi Blind SQL Injection Vulnerability Jan. 3 Reference Not Known
aprice Summary: com_aprice Component 'analog' Parameter SQL Injection Vulnerability Report Not Known
cartikads Summary: com_cartikads Remote File Upload Vulnerability

Mambo Open Source ads management component

Reference Not Known
Docman seller Summary: Document seller Input passed via the "id" parameter to index.php (when "option" is set to "com_dm_orders", "task" is set to "order_form", and "payment_method" is set to "Paypal") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. secunia Updated 10th Jan
ozio gallery summary: Ozio Gallery2 SQLi eploit Reference developer update Jan 11
RD-Autos Free RD-Autos Free This version is now commercial not free Private advisory to JED Jan 11 Product Retired and replaced
DailyMeals Summary: dailymeals Local File Inclusion Vulnerability Jan 02 Reference Not Known
RD-Autos Pro RD Autos Pro Private advisory to JED Jan 11 Upgrade to Latest version be 2.0.2