Joomla! Documentation - User contributions [en]

User talk:E-builds

2012-08-10T23:24:31Z

CirTap: regarding your deletion request

regarding your deletion request, see my talk page --[[User:CirTap|CirTap]] ([[User talk:CirTap|talk]] • [[Special:Contributions/CirTap|contribs]])

User talk:CirTap

2012-08-10T23:24:13Z

CirTap: /* Request for deletion? How to delete docs.joomla page? */

Welcome stranger! {{1}}Leave a note if you dare, it may happen I reply.
----

== Request for deletion? How to delete docs.joomla page? ==

I have done some development pages editing on this wiki, and one of the steps requiers deleting the following page, but no templates work (delete, rfd, RFD).
So how, do I do this.

Page in question [[Setting up a testing environment]]
Reason: Old and integrated the article into this one: [[Setting up your workstation for joomla development]]

P.S. Sorry to put that here, but I have searched for over an hour now for answers (also a quick look on joomla forum "Dos"). Might update the editing help pages.
<a href="e-motiv.net">e-motiv development</a>

:The "rfd" templates no not exists. I can't recall if they ever existed in the first place an if so, who delete them.
:Other pages link to [[Setting up a testing environment]] so deletion is not an option until the links are not resolved (re-linked) properly to another page page.
:I may add a redirect however to the page, but please let me know if you were referring to
:* [[Setting up your workstation for joomla development]] **OR**
:* [[Setting up your workstation for Joomla! development]]
:They all seem to deal with the same content ...
: --[[User:CirTap|CirTap]] ([[User talk:CirTap|talk]] • [[Special:Contributions/CirTap|contribs]])

User talk:CirTap

2012-08-10T23:16:28Z

CirTap: /* Request for deletion? How to delete docs.joomla page? */

User talk:CirTap

2012-08-10T22:48:10Z

CirTap:

Migrating from Joomla 1.5 to Joomla 1.6+

2011-11-04T18:04:22Z

CirTap: /* Before You Get Started */ 1.5.24

With Joomla 1.6 officially released, there have been a lot of questions as to how to migrate or upgrade to Joomla 1.6 from 1.5. This guide will take you step-by-step through the general procedure of how to migrate to Joomla 1.6.
Please read through all the material as this is not a light undertaking.
=Before Upgrading=
Don't let the numerical closeness of 1.5 and 1.6, mislead you. Joomla 1.6 took three years to develop and has been a major undertaking. Countless hours have been spent by many volunteers from around the world to put it all together. Although much of the code is the same from Joomla 1.5, much of it has been written from the ground up, and the changes are comparable to the changes from Joomla 1.0 to 1.5.
Because the changes from Joomla 1.5 to 1.6 are so large and because of the massive effort put into getting Joomla 1.6 to where it is today, there is no core upgrade path, this is indeed a migration. In planned future releases of Joomla (which will be released every 6 months), such as Joomla 1.7, 1.8, etc, the changes from version to version will be more incremental and a core upgrade path is planned.
Now that Joomla 1.6 is finally here and stable, a community initiative led by the developers of Joomla is turning towards [http://extensions.joomla.org/extensions/migration-a-conversion/joomla-migration/11658 jUpgrade] (a 3rd party Joomla extension on the JED originally developed by Matias Aguirre) for help and to help. Many of Joomla's developers (who are all volunteers that freely contribute their time) are volunteering to put the finishing touches on [http://extensions.joomla.org/extensions/migration-a-conversion/joomla-migration/11658 jUpgrade].

[http://extensions.joomla.org/extensions/migration-a-conversion/joomla-migration/11658 jUpgrade] allows you to migrate from Joomla 1.5 to 1.6.
Lets get started!
==Review the Requirements==
Please, please save yourself (and possibly your clients) a lot of headaches and make sure that your server (and in the case of jUpgrade, your browser too) is up for the task. please review the [http://docs.joomla.org/Joomla_1.6_technical_requirements technical requirements for Joomla! 1.6]. Please review the [http://www.matware.com.ar/joomla/jupgrade.html requirements for jUpgrade] as well.
==Before You Get Started==
Before you get started, there are a few things that you are going to have to check and/or think about:
# Is your Joomla 1.5 version up to date? The most up-to-date version of Joomla 1.5 is 1.5.24. If your version is not up-to-date, upgrade to 1.5.24 before migrating, especially if you are running Joomla 1.5.11 or lower.
# Do all your extensions have Joomla 1.6 native versions? At the time of the writing of this tutorial there are 108 available on the JED. Please note that jUpgrade is not currently able to upgrade Joomla 3rd party extensions, so those will have to be done via their respective upgrade procedures. This is however a work in progress.
# Have you modified any core files? Any changes that you have made to core files in Joomla will be lost so please be forewarned.
# Is there a Joomla 1.6 compatible template available from your template provider? If not, do you feel comfortable making the changes yourself? There are a couple good resources:
## [http://community.joomla.org/blogs/community/1257-16-templates.html Chad Windnagle's Joomla Community blog]
## [http://www.slideshare.net/chrisdavenport/template-changes-for-joomla-16 Chris Davenport's "Template Changes for Joomla 1.6" presentation]
## [[Upgrading a Joomla 1.5 template to Joomla 1.6|Joomla's Docs Template Tutorial]] Please note that although jUpgrade is not able to currently upgrade templates, the developers are working hard at implementing the feature.
# Is your language pack available in Joomla 1.6? [http://community.joomla.org/translations/joomla-16-translations.html Find your Joomla1 1.6 Translation].
# Do you have folder or file permissions issues in your Joomla 1.5 installation?
# Do you NEED to migrate to Joomla 1.6? Joomla 1.5 is powerful and very mature. For many people there is not a need to rush into Joomla 1.6. Joomla will continue to support Joomla 1.5 for at least another year and three months, releasing security updates and bug squashing updates when needed.
#: The two main features of Joomla 1.6 that makes it superior to Joomla 1.5 are: Access Control List (ACL) and nested categories. Gone are the days of simply having guests, registered users, authors, and editors, without being able to specify what they can and can't do in the frontend. Also, with 1.6 you can have more flexibility of organizing (and therefore displaying) your content with nicely organized categories within categories. No more being restricted to the section >> category structure. Those are all great things to have (especially the ACL), however, for many 1.5 users, it isn't needed. The main point is to decide for yourself.
#: For a massive list of changes from Joomla 1.5 to Joomla 1.6, please see [[What's new in Joomla 1.6]].

==Backup, Backup, Backup==
Skipping this part is perhaps the biggest mistake you can make. If you have a proper backup (or several) you can always revert back if needed. However, if you don't properly backup your site and something goes wrong, you are going to waste a lot of valuable time, and sometimes a lot money, getting things back to the way they were. So please backup!

==== Using Akeeba to backup ====

* Akeeba Backup produces a .jpa file

* The .jpa file contains all the folders/files and database files.

* The .jpa file also contains an installer

* Kickstart.php (from Akeeba) unpacks the .jpa file

* You then run the installer and install your site like a Joomla install.

* The installer has an option to change the configuration for restoring to a different location

After you create the Database for your Joomla download and install Akeeba, it can be download from [http://extensions.joomla.org/extensions/access-a-security/site-security/backup/1606 Joomla extension directory]. There is a link to full instructions there as well.

=Upgrading=
==Download jUpgrade==
Download the [http://www.matware.com.ar/downloads/joomla/jupgrade.html latest version of jUpgrade]. It is highly advisible, especially when development still is progressing, to always use the latest available version!

==Optional Testing Environment==
If you are really nervous by this point and your heart is beating fast, then you should probably set up a testing environment.

=== Install XAMPP ===
XAMPP is an easy-to-install package that bundles the Apache web server, PHP, XDEBUG, and the MySql database. This allows you to create the environment you need to run Joomla! on your local machine. The latest version of XAMPP is available at [http://www.apachefriends.org/en/xampp.html the XAMPP web site]. Downloads are available for Linux, Windows, Mac OS X and Solaris. Download the package for your platform.

''Important Note Regarding XAMPP and Skype:'' Apache and Skype both use port 80 as an alternative for incoming connections. If you use Skype, go into the Tools-Options-Advanced-Connection panel and deselect the "Use 80 and 443 as alternatives for incoming connections" option. If Apache starts as a service, it will take 80 before Skype starts and you will not see a problem. But, to be safe, disable the option in Skype.

'''Update'''

''As of August 5, 2010, XDebug has been updated (to version 2.1) which fixes some important bugs (for example, watching local variables for nesting functions). The latest XAMPP package (1.7.3) now includes this new version of XDebug. If you just want to update XDebug, you can download the latest module from [http://www.xdebug.org]. There is a handy website that tells you which XDebug binary you need, depending on your phpinfo() information [http://xdebug.org/find-binary.php here]. To use it, you just copy the output of your phpinfo() display and paste it into the form on the site.''

===== Installation on Windows =====

Installation for Windows is very simple. You can use the XAMPP installer executable (for example, "xampp-win32-1.7.3-installer.exe"). Detailed installation instructions for Windows are available [http://www.apachefriends.org/en/xampp-windows.html here].

For Windows, it is recommended to install XAMPP in "c:\xampp" (not in "c:\program files"). If you do this, your Joomla! (and any other local web site folders) will go into the folder "c:\xampp\htdocs". (By convention, all web content goes under the "htdocs" folder.)

If you have multiple http servers (like IIS) you can change the xampp listening port. In <xamppDir>\apache\conf\httpd.conf, modify the line Listen 80 to Listen [portnumber] (ex: "Listen 8080").

===== Installation on Linux =====

Install xammp
Open Terminal and enter:
sudo tar xvfz xampp-linux-1.7.3a.tar.gz -C /opt
(replace ''xampp-linux-1.7.3a.tar.gz'' with the version of xammp you downloaded).
It has been reported that the MYSQL database of xampp 1.7.4 does not work with Joomla 1.5.22

This installs ... Apache2, mysql and php5 as well as an ftp server.

''sudo /opt/lampp/lampp start''

and
''sudo /opt/lampp/lampp stop''

starts/stops all the services

==== Test your xammp localhost server ====
Open your Browser and point it to
http://localhost
The index.php will redirect to
http://localhost/xammp

There you will find instructions on how to change default usernames/passwords. On a PC that does not serve files to the Internet or LAN then changing the defaults is personal choice.

== Install jUpgrade ==
Go to your Joomla backend. e.g. www.yoursite.com/administrator

'''Extensions''' >> '''Install/Uninstall'''

[[Image:Installjupgrade.png|alt=Installing jUpgrade]]

'''Browse''' >> '''Select com_jupgrade''' >> '''Upload File & Install'''

[[Image:browse.png|Browse and Upload Component]]

[[Image:Installjupgrade2.png|alt=Installing jUpgrade]]

== Enable Mootools Upgrade Plugin ==
# Go to Extensions | Plugin Manager
# Search for "System - Mootools Upgrade"
# Enable the plugin
It is important that this plugin is installed and that it has been set to enabled, as the proper functioning of jUpgrade depends on it.

== Configure Options ==
As of jUpgrade version 1.1.1, support is present to migrate to Joomla! 1.6, Joomla! 1.7, and an old Molajo build. As well, for jUpgrade to be successful, you must configure your current table prefix prior to beginning the migration. The following are the options that can be configured with jUpgrade:

Global:
* Distribution - Select whether to migrate to Joomla! 1.6, 1.7, or Molajo
* Prefix for old database - Your current table prefix
* Prefix for new database - Your selected table prefix for your migrated site

Skips:
* Skip checks - Skip pre-migration checks
* Skip download - Skip downloading the package (Note: Must have a package already downloaded to your temp folder or set this and Skip Decompress if set to yes)
* Skip decompress - Skip decompressing the downloaded package (Note: Must have a package already downloaded and decompressed to site_root/jupgrade if set to Yes)

Templates:
* Keep original positions - Keep the currently defined positions for modules

Debug:
* Enable Debug - Enable this to have messages displayed below the migration process concerning the progress, helpful if having issues

[[Image:Jupgrade_options.png|alt=jUpgrade 1.1.1 Options]]

== Migration ==
'''Components''' >> '''jUpgrade'''

[[Image:Accessjupgrade.png]]

'''Start Upgrade'''

[[Image:Startjupgrade.png|alt=Start jUpgrade]]

[[Image:Runjupgrade.png|alt=Run jUpgrade]]

'''Do not exit the screen''' until everything has finished loading. Scroll down to check if finished.

[[Image:Jupgradefinished.png|alt=jUpgrade Finished]]

'''Success!!!'''

Please note that jUpgrade currently does not migrate templates, only default templates.

==Behind the Scenes==
As explained in the background information, the changes from Joomla 1.5 and 1.6 are quite significant. The fact that jUpgrade creates a new Joomla 1.6 installation for us is, in my opinion, pure genius. If the migration process was not 100% successful, your Joomla 1.5 is still perfectly intact and none of your users are affected. You have an opportunity to check out your site both in the frontend and the backend to make sure everything is up to par. So what actually happens? jUpgrade downloads the latest version of Joomla 1.6 for you to the jupgrade directory (which it creates) in the root folder of your Joomla 1.5 installation. It then extracts all the files from the download. Once extraction has completed, jUpgrade installs Joomla 1.6 and then proceeds to migrate your old database to the new Joomla 1.6 database which it has created.
Your Joomla 1.6 site will be installed in www.mysites.com/jupgrade assuming that your Joomla 1.5 installation is in your html root.
==Check Your Joomla! 1.6==
Please do a full site review of your Joomla 1.6 installation and make sure everything is set up properly.
Your Joomla 1.6 site will be installed in www.mysites.com/jupgrade assuming that your Joomla 1.5 installation is in your html root.
Here is a general checklist to check:
* Banners
* Categories
* Contacts
* Content
* Menus
* Modules
* Newsfeeds
* Users
* Weblinks
* Templates - Work is currently being done on the template upgrade feature of jUpdate and it is not yet fully functional. Your module positions may have to be adjusted in module manager.
==Backup Joomla! 1.6==
If everything looks good to go, then let's backup the new Joomla 1.6 installation.
==Overview of the Rest of the Process==
Quick overview of what we are going to try to do now:
# Relocate our Joomla 1.5 installation to a subfolder as a "just in case".
# Relocate our Joomla 1.6 installation to the html folder.
'It should happen in this order' If you do it in reverse order, the Joomla 1.6 files will get mixed with the Joomla 1.5 files (many of 1.5 files will be overwritten) and you will have a big mess! Your site will likely still work, but it's a security ticking time bomb waiting to go off.

=Going Live=
Next log onto your host's file manager (e.g. cPanel, Plesk, etc) or an FTP Client, however, preferably a file manager.
The general procedure is (it should take about 30 seconds if you review the steps before you start):
# Create a subfolder (e.g. myoldsite) for the Joomla 1.5 installation in your html root, e.g. public_html/myoldsite
# Select all the folders (***except the jupgrade folder***) and files in the html root and move them into the Joomla 1.5 subfolder (e.g. myoldsite)
# Select all the folders and files in the jupgrade folder and move them to the html root
# Double check the frontend and backend

=How to Manually Migrate Joomla=
If Jupgrade did not work out for you like many of us, you might want to consider manual upgrade. '''Be warned, however, that this process is very tedious (especially see step 6 below), and the procedure is not well tested as of yet (if at all)'''. So just like the Jupgrade method, you will want to backup your database just in case. Before upgrading you should check to make sure every extension you want is joomla 1.6/1.7 compatible. Also back up your directory files just in case and keep a list of the extensions you used.

Now onto the upgrade; please note that the following procedure should only be chosen if all else fails, and requires a good working knowledge of SQL! See the last paragraph of this section for a possibly less tedious alternative to doing steps 1, 2, 6 and 7) :

'''Step 0:''' First of all, as always before big changes, backup all your data; that includes all files as well as exporting all database tables.

'''Step 1:''' If you want, you can convert the prefixes of all the tables in your database. This is especially useful if you would like to keep your 1.5 database in parallel to your 1.6/1.7 installation, at least for the transition period. It is best done using a script, here is one that worked pretty well as seen on [http://www.nilpo.com/2009/01/web-development/mysql-table-prefix-changer-tool/ Nilop]. '''Beware''', however, that executing this script will stop your old site from working because after the prefix conversion, your old installation can't access the database anymore (it will still try to access the tables by their old prefix)! To enable it again, import the database export created in step 0 after the script has finished running. Joomla 1.5 usually has the prefix of "jos" which you can convert to the prefix "jml" or "j16", for example. So using your ftp install the php converter script onto the root of your site. It should be at the url '''Mysite.com'''/prefix.php which all you need to do is fill in the database information. After this you have all the tables nicely converted to the new prefix.

[[File:Changer.JPG|center]]

Notice in the following screen shot that the sql data is "jos":
[[File:Tables.JPG|thumb|center|500px]]

You want it converted to "jml" as seen here:
[[File:Prefix.JPG|thumb|center|500px]]

'''Step 2:''' Export all the database tables you would like to use on your joomla 1.6+ site. Usually this is things like content and components.

[[File:Export.JPG|thumb|center|500px]]

'''Step 3:''' Uninstall your old site including the database, files, and directories that are associated with joomla. Or if you would rather just test the upgrade, skip step this step and create a new directory for your joomla 1.6+ site.

'''Step 4:''' Install the new joomla which is done through a ftp or a cpanel. If you have no database associated with it, install a new database and user.

'''Step 5:''' Install the components and other extensions you would have used before onto your new joomla 1.6+ site. This is done first, in order for none of your old database tables to be overwritten later.

'''Step 6: ''' Convert the .sql file with your 1.5 tables to an sql file compatible with the version you want to upgrade to. That is a very tedious step - you'll have to check the database schema changes between the 1.5 you're upgrading from and the 1.6.+ version you're upgrading to, and adapt the sql file accordingly. '''Note:''' This step could use a more detailed description, if you have ever done a manual Joomla migration, please help and share your experiences and knowledge here!

'''Step 7:''' Import the .sql file from your computer onto your joomla 1.6+ database. It is also possible that some extensions may have the possibility of changes to the sql tables when they upgraded there extension to joomla 1.6+. If this is the case, it is recommended that you ask the developer of that extension for help with knowing what changes to the sql were made.

'''Keep in mind!''' It is possible for settings to be lost based on how the component stored the settings. From personal experience it worked just fine, but you may want to review the settings of each component.

For an easier way to migrate articles, categories/sections, contacts, images, and users, be sure to use [http://extensions.joomla.org/extensions/migration-a-conversion/data-import-a-export/12816 J2XML] for exporting and [http://extensions.joomla.org/extensions/migration-a-conversion/joomla-migration/15807 J2XML Importer] for importing the data.

=Troubleshooting=
* first check, if you have php5 at least. (use phpinfo() or /usr/bin/php --version)
* '''jUpgrade cannot download Joomla 1.6 package?''' - When the download fails (timeouts, javascript issues, etc) you can download it manually here: http://anonymous:@joomlacode.org/svn/joomla/development/branches/jupgrade/pack/joomla16.zip and put this file into your ROOT/tmp directory. Then, in the preferences of jUpgrade, you must set 'Skip Download' to 'Yes'. After that, run the upgrade again.
* '''Are you getting errors with the progress bar in Internet Explorer (Windows XP)?''' - Use Firefox: http://www.mozilla.com/en-US/firefox/
* Go through the Requirements and Before You Get Started sections above and double check everything!
* '''Report Bugs:''' http://matware.com.ar/foros/jupgrade.html
* '''Support:''' http://matware.com.ar/foros/jupgrade.html
==How You can Contribute & Help==
Creating an extension as significant as jUpgrade requires an enormous amount of time and effort considering the major structural changes between Joomla 1.5 and 1.6. Add to this the fact that during each release of Joomla 1.6 betas, the extension would have to be modified to work with the new changes between releases, and all of a sudden it's too hard for any one person to complete in a short period of time (especially when you are not being paid).
With this being said, it's time to step up and make a difference, whether big or small. Have you profited from Joomla in the last year? Are you excited about the future of Joomla? Would you like to contribute back and show your gratitude? Now you can in this project!
We, as part of the Joomla community, are calling on the entire Joomla community to help out in whatever way you can. You don't have to be a master developer, just go through this tutorial on a test site and if you come across any bugs, report it. If you know how to fix it, create a patch for it. If you are a master developer, step up to the challenge.
* You can report bugs here: http://matware.com.ar/foros/jupgrade.html
* You can volunteer and ask questions about volunteering here: http://www.matware.com.ar/forum/projects/jupgrade/volunteer-information.html
[[Category:Joomla! 1.6]]
[[Category:Tutorials]]
[[Category:Migration]]
[[Category:Installation]]

Which DocType header to use

2011-09-15T10:04:24Z

CirTap: whitespace cleanup

Current thinking is that XHTML 1.0 Transitional should be used for Joomla! templates.
===Recommended DocTypes===
{{:Recommended DocTypes|}}
===References about DocTypes===
{{:References about DocTypes|}}
<noinclude>[[Category:Beginners]][[Category:Templates]][[Category:Topics]][[Category:HTML|DocType]][[Category:Template FAQ]]</noinclude>

Recommended DocTypes

2011-09-15T10:04:09Z

CirTap: whitespace cleanup

List of recommended [http://www.w3.org/QA/2002/04/valid-dtd-list.html DocTypes] for different circumstances:-

* HTML 4.01 Strict: <nowiki><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"></nowiki>
* HTML 4.01 Transitional: <nowiki><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"></nowiki>
* HTML 4.01 Frameset: <nowiki><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"></nowiki>
* XHTML 1.0 Strict: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"></nowiki>
* XHTML 1.0 Transitional: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"></nowiki>
* XHTML 1.0 Frameset: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"></nowiki>
* XHTML 1.1 DTD: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"></nowiki>
* HTML5: <!DOCTYPE html>
<noinclude>[[Category:Reference]][[Category:Templates]][[Category:Itemised lists]]</noinclude>

References about DocTypes

2011-09-15T10:02:52Z

CirTap: added W3C article, whitespace cleanup

References about recommended DocTypes:
* http://www.w3.org/QA/2002/04/valid-dtd-list.html
* http://www.w3.org/QA/2002/04/Web-Quality
* http://www.alistapart.com/stories/doctype
* http://htmlhelp.com/tools/validator/doctype.html
* http://vivalaweb.info/blog/musing/2005/05/14/choosing-the-right-doctype-a-straight-forward-guide/
* http://hsivonen.iki.fi/doctype/
<noinclude>[[Category:Reference]][[Category:Templates]][[Category:Itemised lists]]</noinclude>

Recommended DocTypes

2011-09-15T10:00:34Z

CirTap: added nowiki tags to prevent parsing od DTD urls, link to W3C article with DTD sources

List of recommended [http://www.w3.org/QA/2002/04/valid-dtd-list.html DocTypes] for different circumstances:-

* HTML 4.01 Strict: <nowiki><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"></nowiki>
* HTML 4.01 Transitional: <nowiki><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"></nowiki>
* HTML 4.01 Frameset: <nowiki><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"></nowiki>
* XHTML 1.0 Strict: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"></nowiki>
* XHTML 1.0 Transitional: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"></nowiki>
* XHTML 1.0 Frameset: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"></nowiki>
* XHTML 1.1 DTD: <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"></nowiki>
* HTML5: <!DOCTYPE html>

<noinclude>[[Category:Reference]]</noinclude>
<noinclude>[[Category:Templates]]</noinclude>
<noinclude>[[Category:Itemised lists]]</noinclude>

Upgrade 1.6.5 to 1.6.6

2011-08-02T11:31:24Z

CirTap: removed SID from forum link

__NOTOC__

Joomla! 1.6.6 was released yesterday (July 26, 2011) while Joomla! 1.7.0 was released a week prior (July 19th, 2011). Joomla 1.6.6 is a security release and is intended only for those users who are unable to use version 1.7.0. Most users should update to 1.7.0 unless there are specific reasons why they cannot use 1.7.0 at this time. Version 1.6 will reach end of life on 19 August 2011. All users of version 1.6 should update to version 1.7.0 before that time. The update process is very simple, and complete instructions are available here.

At the time of this writing (July 27, 2011), however, the automated backend Joomla installer only gives version Joomla! 1.7.0 as a possible upgrade route, so this tutorial will show how to you how to upgrade manually to 1.6.6 from any 1.6 version if there are specific reasons why 1.7.0 at this time can't be used. Alternatively you can also use a Joomla! extension to automate the process of loading version updates. See [http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/14087 Admin Tools for Joomla!] for more information.

[http://www.joomla.org/announcements/release-news/5383-joomla-166-released.html Review the release notes for the new version.]

{{upgrade-intro}}

==Step 1: Download the upgrade file==

To download 1.6.6:

* Proceed to the [http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=6007 Joomla 1.6.6 download area].
* Download Joomla_1.6.5_to_1.6.6-Stable-Patch_Package.zip if you're using 1.6.6 otherwise download Joomla_1.6.0_to_1.6.6-Stable-Patch_Package.zip for any other 1.6.x version.

If you have questions about these instructions or want to use tar.gz or tar.bz2 instead (e.g. if the file is taking an extremely long time to download), read the ''Additional Information'' below this table.

'''Additional information:'''

{{Ambox|image=notice|text=[[Template:patch|What is a patch?]]|style=width:400px}}

{{Ambox|image=notice|text=[[Unpacking a package file|Which package format should I use?]]|style=width:400px}}

==Step 2: Backup your site==
Before you actually upgrade, you really should make a backup of your site. Backup your existing Joomla site files and store all the files and database in case something gets messed up, you wont have any problem reverting back.

All upgrades should be first tested on a copy of your site before being applied to a live site.

==Step 3: Install the upgrade file==
{{installing a package file}}

==Step 4: Check your live site to make sure it is working correctly==
Don't assume that the upgrade will work flawlessly just because the test upgrade worked. Check to make sure that nothing untoward has happened. It could be that differences between the live site and test site platforms will bring out a problem that you did not notice during testing. If you find a problem and it cannot be resolved quickly you might have to rollback the upgrade using the backup copy you created in step 2.

Hopefully all will be well and you can relax. If you have any questions before, during, or after the upgrade then please ask them on the [http://forum.joomla.org/viewforum.php?f=625 Joomla! 1.7 Migrating and Upgrading Forum].

[[Category:Upgrading]]

Archived vel

2011-07-15T13:31:27Z

CirTap: Reverted edits by CirTap (talk) to last revision by Mandville

{{RightTOC}}

{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Reference Link'''
! '''Extension Update Link'''
|-
| style="background:#cef2e0; color:black" | '''com_ajaxchat'''
| Summary: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat ('''com_ajaxchat''') component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.New version release December 22,2009
Published: october 28 2009
| [[NIST:CVE-2009-3822|CVE-2009-3822]]
| style="background:#cef2e0; color:white" | [http://extensions.joomla.org/extensions/communication/chat/10767 update v 1.1]
|-
| style="background:#cef2e0; color:black" | '''com_booklibrary'''
| PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary ('''com_booklibrary''') component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than [[NIST:CVE-2009-2637|CVE-2009-2637]]. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)
| [[NIST:CVE-2009-3817|CVE-2009-3817]]
| style="background:#cef2e0; color:black" | '''[http://ordasoft.com/Download/Joomla1.0-extensions/Joomla1.0-components/View-category.html developer site updates]'''
|-
| style="background:#cef2e0; color:black" | '''com_foobla_suggestions'''
| Summary: SQL injection vulnerability in the foobla Suggestions ('''com_foobla_suggestions''') component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
Published: 10/11/2009
CVSS Severity: 7.5 (HIGH)
| [[NIST:CVE-2009-3669|CVE-2009-3669]]
| style="background:#cef2e0; color:white" | [http://foobla.com/news/latest/fixed-foobla-suggestions-for-joomla-idea_id-sql-injection-vulnerability.html developer reported upgrade]
|-
| style="background:red; color:white" | '''com_djcatalog'''
| Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog ('''com_djcatalog''') component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009
CVSS Severity: 6.8 (MEDIUM)
| [[NIST:CVE-2009-3661|CVE-2009-3661]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" | '''com_cbresumebuilder'''
| Summary: SQL injection vulnerability in the JoomlaCache CB Resume Builder (''''''com_cbresumebuilder''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3645|CVE-2009-3645]]
| style="background:#cef2e0; color:white" |'''[http://www.joomlacache.com/commercial-extensions/security-update.html Developer Update]'''
|-
| style="background:red; color:white" | '''com_soundset'''
| Summary: SQL injection vulnerability in the Soundset ('''com_soundset''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3644|CVE-2009-3644]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" |'''com_sportfusion'''
| Summary: SQL injection vulnerability in the Kinfusion SportFusion ('''com_sportfusion''') component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3491|CVE-2009-3491]]
| style="background:red; color:white" |'''Not Known'''
|-
| style="background:red; color:white" | '''com_icrmbasic'''
| Summary: A certain interface in the iCRM Basic ('''com_icrmbasic''') component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3481|CVE-2009-3481]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_mytube'''
| Summary: SQL injection vulnerability in the MyRemote Video Gallery ('''com_mytube''') component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3446|CVE-2009-3446]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_fastball'''
| Summary: SQL injection vulnerability in the Fastball ('''com_fastball''') component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3443|CVE-2009-3443]]
| style="background:#cef2e0; color:white" | [http://www.fastballproductions.com latest version] 1.2.1
|-
| style="background:red; color:white" | '''com_facebook'''
| Summary: SQL injection vulnerability in the JoomlaFacebook ('''com_facebook''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3438|CVE-2009-3438]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_tupinambis'''
| Summary: SQL injection vulnerability in the Tupinambis ('''com_tupinambis''') component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3434|CVE-2009-3434]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" |'''com_idoblog'''
| Summary: SQL injection vulnerability in the IDoBlog ('''com_idoblog''') component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than [[NIST:CVE-2008-2627|CVE-2008-2627]].
Published: 09/25/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3417|CVE-2009-3417]]
| style="background:#cef2e0; color:white" |'''[http://idojoomla.com/download.html/ '''New Version v 1.1''' (build 32)]'''
|-
| style="background:red; color:white" | '''com_hbssearch'''
| Summary: Cross-site scripting ('''XSS''') vulnerability in the Hotel Booking Reservation System ('''aka HBS or com_hbssearch''') component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009
CVSS Severity: 4.3 ('''MEDIUM''')
| [[NIST:CVE-2009-3368|CVE-2009-3368]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_hbssearch'''
| Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System ('''aka HBS or com_hbssearch''') component for Joomla! allow remote attackers to execute arbitrary SQL commands via the ('''1''') h_id, ('''2''') id, and ('''3''') rid parameters to longDesc.php, and the h_id parameter to ('''4''') detail.php, ('''5''') detail1.php, ('''6''') detail2.php, ('''7''') detail3.php, ('''8''') detail4.php, ('''9''') detail5.php, ('''10''') detail6.php, ('''11''') detail7.php, and ('''12''') detail8.php, different vectors than [[NIST:CVE-2008-5865|CVE-2008-5865]], [[NIST:CVE-2008-5874|CVE-2008-5874]], and [[NIST:CVE-2008-5875|CVE-2008-5875]].
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3357|CVE-2009-3357]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" |'''com_alphauserpoints'''
| Summary: SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints ('''com_alphauserpoints''') component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3342|CVE-2009-3342]]
| style="background:#cef2e0; color:white" |'''[http://www.alphaplug.com/index.php/news/142-alphauserpoints-153-released.html 1.5.3]'''
|-
| style="background:red; color:white" | '''TurtuShout'''
| Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3335|CVE-2009-3335]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jinc'''
| Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component ('''aka JINC or com_jinc''') component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3334|CVE-2009-3334]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" | '''com_jbudgetsmagic'''
| Summary: SQL injection vulnerability in the JBudgetsMagic ('''com_jbudgetsmagic''') component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3332|CVE-2009-3332]]
| style="background:#cef2e0; color:white" | '''[http://sopinet.com/jbudgetsmagic/index.php?option=com_remository&Itemid=5&lang=en Update to 0.4.1]'''
|-
| style="background:red; color:white" | '''com_surveymanager'''
| Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager ('''com_surveymanager''') component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3325|CVE-2009-3325]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_album'''
| Summary: Directory traversal vulnerability in the Roland Breedveld Album ('''com_album''') component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. ('''dot dot''') in the target parameter to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3318|CVE-2009-3318]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" | '''com_jreservation'''
| Summary: SQL injection vulnerability in the [http://extensions.joomla.org/extensions/vertical-markets/booking-a-reservation/9798 JReservation] ('''com_jreservation''') component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3316|CVE-2009-3316]]
| style="background:#cef2e0; color:black" | [http://www.jforjoomla.com Updated 28th] Jan fixed 13th Nov
|-
| style="background:red; color:white" | '''IXXO Cart Standalone'''
| Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3215|CVE-2009-3215]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_digifolio'''
| Summary: SQL injection vulnerability in the DigiFolio ('''com_digifolio''') component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3193|CVE-2009-3193]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_aclassf'''
| Summary: Cross-site scripting ('''XSS''') vulnerability in '''gmap.php''' in the Almond Classifieds ('''com_aclassf''') component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009
CVSS Severity: 4.3 ('''MEDIUM''')
| [[NIST:CVE-2009-3155|CVE-2009-3155]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" | '''com_aclassf'''
| Summary: SQL injection vulnerability in the Almond Classifieds ('''com_aclassf''') component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than [[NIST:CVE-2009-2567|CVE-2009-2567]].
Published: 09/10/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3154|CVE-2009-3154]]
| style="background:#cef2e0; color:white" | [http://www.almondsoft.com/alcl.html Developer latest component]
|-
| style="background:red; color:white" | '''com_jabode'''
| Summary: SQL injection vulnerability in Jabode horoscope extension ('''com_jabode''') for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009
CVSS Severity: 7.5 ('''HIGH''')

| [[NIST:CVE-2008-7169|CVE-2008-7169]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_gameserver'''
| Summary: SQL injection vulnerability in the Game Server ('''com_gameserver''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3063|CVE-2009-3063]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_artportal'''
| Summary: SQL injection vulnerability in the Artetics.com Art Portal ('''com_artportal''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3054|CVE-2009-3054]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" | '''com_agora'''
| Summary: Directory traversal vulnerability in the Agora ('''com_agora''') component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
Published: 09/03/2009
CVSS Severity: 6.8 ('''MEDIUM''')
| [[NIST:CVE-2009-3053|CVE-2009-3053]]
| style="background:#cef2e0; color:white" |'''[http://jvitals.com/index.php?option=com_rokdownloads&view=file&Itemid=108&id=282:agora-3-0 3.0.7]'''
|-
| style="background:red; color:white" | '''com_simpleshop'''
| Summary: SQL injection vulnerability in the Simple Shop Galore ('''com_simpleshop''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than [[NIST:CVE-2008-2568|CVE-2008-2568]]. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-7033|CVE-2008-7033]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_groups'''
| Summary: SQL injection vulnerability in the Permis ('''com_groups''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-2789|CVE-2009-2789]]
| style="background:red; color:white" | '''Not Known'''

|-
| style="background:#cef2e0; color:black" | '''com_content'''
| Summary: SQL injection vulnerability in the content component ('''com_content''') 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.
Published: 08/10/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6923|CVE-2008-6923]]
| style="background:#cef2e0; color:white" |'''[http://developer.joomla.org/security/news/305-20091103-core-front-end-editor-issue-.html Resolution]'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: SQL injection vulnerability in the Live Chat ('''com_livechat''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6883|CVE-2008-6883]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: Live Chat ('''com_livechat''') component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6882|CVE-2008-6882]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: Multiple SQL injection vulnerabilities in the Live Chat ('''com_livechat''') component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to ('''1''') getChat.php, ('''2''') getChatRoom.php, and ('''3''') getSavedChatRooms.php.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6881|CVE-2008-6881]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" |'''JUMI'''
| There is a backdoor in JUMI that installs itself when JUMI is installed on your web site. It sends your credentials to a website, and sets up a back door for remote code execution.
Please remove JUMI2.0.5 immediately.
It will be simple enough to remove the compromised code from this download, but you need to do
a full security audit on your site as well as you have been compromised. Added November 2009
| [http://code.google.com/p/jumi/updates/list Report]
| style="background:#cef2e0; color:white" |[http://code.google.com/p/jumi/updates/list Jumi Update]
|-
| style="background:#cef2e0; color:black" |'''com_photoblog'''
| Input Validation Error Added November 2009
| [http://www.securityfocus.com/bid/36809/ 36809]
| style="background:#cef2e0; color:white" |[http://webguerilla.net/downloads/3-components-for-joomla-1 webguerilla Photoblog alpha 3b]
|-
| style="background:red; color:white" | '''com_jshop'''
| Summary: SQL injection vulnerability in the JShop ('''com_jshop''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009
CVSS Severity: 7.5 '''(HIGH)'''
| [[NIST:CVE-2009-3835|CVE-2009-3835]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black" |'''BF Survey Pro'''
| Summary: SQL injection vulnerability in the '''BF Survey Pro''' v1.2.5 or lower (fixed in version 1.2.6). '''BF Survey Basic v1.0''' (fixed in version 1.1). '''BF Quiz v1.1.1''' (fixed in version 1.2 or greater) Added November 2009
| [http://www.tamlyncreative.com.au/software/forum/index.php?topic=357.0 tamlyncreative.com.au]
| style="background:#cef2e0; color:white" |[http://www.tamlyncreative.com.au/software/forum/index.php?topic=357.0 update]
|-
| style="background:#cef2e0; color:black" |'''Joo!BB 0.9.1 '''
| Summary: Persistent XSS/MySQL Injection vulnerabilities in Joo!BB 0.9.1 Added November 2009
| [http://www.joobb.org/community/board/topic/700-MultipleXSSSQLInjectionVulnerabilities.html joob.org]
| style="background:#cef2e0; color:white" |[http://www.joobb.org/downloads/components.html update]
|-
| style="background:#cef2e0; color:black" |'''sh404sef '''
| Summary: sh404sef URI XSS Vulnerability Added November 2009
| [http://jeffchannell.com/Joomla/sh404sef-uri-xss-vulnerability.html jeffchannell.com]
| style="background:#cef2e0; color:white" |[http://extensions.siliana.com/en/2009060876/sh404SEF-and-url-rewriting/Interim-release-of-sh404sef-for-Joomla-1.5.x.html update]
|-
| style="background:#cef2e0; color:black" | '''AWD Wall 1.5'''
| Summary '''AWD Wall 1.5''' Blind SQL Injection Vulnerability.The Joomla component AWD Wall 1.5 suffers from an SQL Injection vulnerability in its handling of the 'cbuser' parameter.Added November 2009
| [http://jeffchannell.com/Joomla/awd-wall-15-blind-sql-injection-vulnerability.html Notice]
|style="background:#cef2e0; color:white" | '''[http://www.awdsolution.com/template_demo/testsite/index.php?option=com_content&view=article&id=48&Itemid=72 developer update]'''
|-
| style="background:red; color:white" | '''EasyBook 2.0.0rc4'''
| Summary: The Joomla component '''EasyBook 2.0.0rc4''' suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009
| [http://jeffchannell.com/Joomla/easybook-200rc4-multiple-xss-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''F!BB 1.5.96'''
| Summary: The Joomla component '''F!BB 1.5.96 RC''' suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009
| [http://jeffchannell.com/Joomla/fbb-1596-rc-multiple-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''Testimonial Ku 2.0 Admin Panel'''
| Summary: The Joomla component '''Testimonial Ku 2.0''' is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009
| [http://jeffchannell.com/Joomla/testimonial-ku-20-admin-panel-persistent-xss.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''MS Comment 0.8.0b'''
| Summary '''MS Comment 0.8.0b for Joomla''', a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009
| [http://jeffchannell.com/Joomla/ms-comment-080b-multiple-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:#cef2e0; color:black" | '''!JoomlaComment 4.0 beta1'''
| Summary: '''!JoomlaComment 4.0 beta1''', a commenting plugin, suffers from multiple XSS vulnerabilities. Added November 2009
| [http://jeffchannell.com/Joomla/joomlacomment-40-beta1-multiple-xss-vulnerabilities.html Alert]
| style="background:#cef2e0; color:white" | ''' [http://compojoom.com/blog/8-news/121-joomlacomment-40-rc1-released Developer Notice 4.0 rc1]''
|-
| style="background:red; color:white" | '''WebAmoeba Ticket System 3.0.0'''
| Summary: '''WebAmoeba Ticket System 3.0.0''', a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009
| [http://jeffchannell.com/Joomla/webamoeba-ticket-system-300-bbcode-xss.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |'''Kunena 1.5.x'''
|Summary: This is an important security release and users are urged to update immediately. Five security issues and an Internet Explorer 8 table bug have been resolved in this release. This release also contains many other important bug fixes. Added 18 November 2009
|[http://www.kunena.com/blog/19-developer-blog/51-kunena-157-security-release-now-available Advisory]
|style="background:#cef2e0; color:white" |[http://www.kunena.com/blog/19-developer-blog/52-kunena-158-service-release-now-available Latest 1.5.8 Version]
|-
| style="background:red; color:white" | '''com_siirler'''
| Summary: SQL injection vulnerability in the '''Q-Proje Siirler Bileseni (com_siirler)''' component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3972 | CVE-2009-3972]]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''jTips (com_jtips)'''
|SUmmary:SQL injection vulnerability in the '''jTips (com_jtips)''' component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3971 |CVE-2009-3971]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |'''NinjaMonials'''
| Summary: SQL injection vulnerability in the '''NinjaMonials (com_ninjacentral)''' component 1.1.0 for '''Joomla 1.0.x''' ! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3964 | CVE-2009-3964]]
|style="background:#cef2e0; color:white" |''' [http://ninjaforge.com/index.php?option=com_ninjacentral&page=show_package&id=14&Itemid=235 developer patch Ver 1.2]'''
|-
|style="background:#cef2e0; color:black" | '''webee 1.1.1 &1.2'''
|Summary: '''webee 1.1.1,''' a Joomla commenting plugin, suffers from multiple vulnerabilities. '''webee has been updated to 1.2''' as of 12 November 2009 and''' still suffers''' from SQL Injection. XSS was not tested in 1.2. Added 19 November 2009
| [http://jeffchannell.com/Joomla/webee-111-multiple-vulnerabilities.html jeffchannell.com]
|style="background:#cef2e0; color:white" | ''' [http://extensions.joomla.org/extensions/contacts-and-feedback/articles-comments/10155 developer update ver2.0]'''
|-
|style="background:#cef2e0; color:black" |'''iF Portfolio Nexus'''
|Summary: The '''iF Portfolio Nexus component for Joomla!''' is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements using the id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009
|[http://secunia.com/advisories/37408/ secunia.com 37408/]
|style="background:#cef2e0; color:white" |[http://www.inertialfate.za.net/help/forums/topic?id=10&p=3#p172 iF Portfolio Nexus v1.1.1 released]

|-
|style="background:red; color:white" | '''JoomClip'''
|Summary: The '''JoomClip component for Joomla!''' is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009
|[http://secunia.com/advisories/37400/ secunia.com 37400/]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |'''Joomla XML'''
|Summary: Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number, via a direct request.
Published: 11/16/2009
|[[NIST:CVE-2009-3946 | CVE-2009-3946]]
|style="background:#cef2e0; color:white" |'''[http://developer.joomla.org/security/news/306-20091103-core-xml-file-read-issue.html Resolution]'''
|-
|style="background:red; color:white" | '''Mygallery Remote SQL Injection Vulnerability'''
|Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 {{JVer|1.5}} NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM)
|[http://www.exploit-db.com]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Extreme Google Calendar'''
|Summary: '''com_gcalendar 1.1.2''' (gcid) Remote SQL Injection Vulnerability
Remote SQL Injection were identified in Google Calendar Component [http://extensions.joomla.org/extensions/calendars-a-events/calendars/4188 Extension Link] Added 27 Nov 2009
|[http://www.exploit-db.com reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''LyftenBloggie'''
| Summary: [http://www.lyften.com/products/lyftenbloggie.html LyftenBloggie] Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009
|[http://secunia.com/advisories/product/28005/ SA37499]
| [http://jeffchannell.com/Joomla/lyften-bloggie-sql-injection-fix.html Un official fix]. Developer fix not release at 30 Nov 09 ''' [http://www.lyften.com/products/lyftenbloggie/extensions/download/id-20.html 1.0.4a (last update on Dec 28, 2009)]'''
|-
|style="background:#cef2e0; color:black" |'''Sermon speaker'''
|Summary: [http://joomlacode.org/gf/project/sermon_speaker sermon speaker] sql vulnerability and password reset vulnerability version 3.2 and below
|
|style="background:#cef2e0; color:white" |[http://joomlacode.org/gf/project/sermon_speaker/forum/?action=ForumBrowse&forum_id=7897&_forum_action=ForumMessageBrowse&thread_id=15219 Developer fix] 30 Nov 2009
|-
|style="background:#cef2e0; color:white" | [http://joomlacode.org/gf/project/musicgallery/ MusicGallery]
|Summary: [http://joomlacode.org/gf/project/musicgallery/ Component MusicGallery] SQL Injection Vulnerability 30 November {{JVer|1.5}}
|[[NIST:CVE-2009-4217 | CVE-2009-4217]]
|style="background:#cef2e0; color:black" | [http://joomlacode.org/gf/project/musicgallery/ developer]
|}

----

== December 2009 Compiled Reports ==
{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Reference Link'''
! '''Extension Update Link'''
|-
|style="background:red; color:white" | '''Omilen Photo Gallery'''
|Summary: Directory traversal vulnerability in the [http://extensions.joomla.org/extensions/photos-&-images/photo-flash-gallery/6373/details Omilen Photo Gallery] (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
Published: 12/04/2009
|[[NIST:CVE-2009-4202 | CVE-2009-4202]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Seminar'''
|Summary: SQL injection vulnerability in the [http://seminar.vollmar.ws/ Seminar] (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.
Published: 12/04/2009
|[[NIST:CVE-2009-4200 | CVE-2009-4200]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''Mambo Resident'''
|Summary: Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) property_uid parameter in a viewproperty action to index.php and the (2) regID parameter in a showregion action to index.php. Mambo Resident component for v4.5.2 '''may only be for 1.0.xx versions of J!'''
Published: 12/04/2009
|[[NIST:CVE-2009-4199 | CVE-2009-4199]]
|style="background:#cef2e0; color:white" |[http://www.jomres.net/ Replacement Extension 08 dec 09]
|-
|style="background:red; color:white" | '''ProofReader'''
|Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM)
| [[NIST:CVE-2009-4157 | CVE-2009-4157]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''Laoneo Google Calendar GCalendar'''
|Summary: SQL injection vulnerability in the [http://g4j.laoneo.net/content/extensions/download/cat_view/20-joomla-15x/21-gcalendar.html Google Calendar GCalendar] (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) Note: There is already a listing for GCalendar 1.1.2
|[[NIST:CVE-2009-4099 | CVE-2009-4099]]
|style="background:#cef2e0; color:white" | [http://g4j.laoneo.net/content/extensions/download/doc_details/28-gcalendar-suite-215.html Latest version GCalendar Suite 2.1.5]
|-
|style="background:red; color:white" | '''D4J eZine'''
|Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH)
|[[NIST:CVE-2009-4094 | CVE-2009-4094]]
|style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''Quick News'''
| Summary: The Joomla [http://joomlacode.org/gf/project/quicknews/ Quick News component] suffers from a remote SQL injection vulnerability. added 1st Dec 09
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''Joaktree component'''
|Summary: [http://extensions.joomla.org/extensions/miscellaneous/genealogy/9842 Joaktree] Vulnerability : SQL injection/ added 1st Dec 09
|[http://securityreason.com/exploitalert/7508 7508]
|style="background:#cef2e0; color:white" | ''' [http://naastniels.nl/index.php/en/joaktree/downloads version 1.1 update]'''
|-
|style="background:red; color:white" | '''mojoblog'''
|Summary [http://www.joomlify.com/files/mojoblog/ MojoBlog] Multiple Remote File Include Vulnerability added 1st Dec 09 {{JVer|1.5}}
|[http://securityreason.com/exploitalert/7509 7509]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''YJ Whois'''
|Summary: [http://extensions.joomla.org/extensions/external-contents/domain-search/5774 YJ Whois] '''Low security risk''',and fixesMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Files affected is , modules/mod_yj_whois.php added 3 December 09
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" |[http://www.youjoomla.com/xss-security-patch-for-yj-whois.html Developer Notice and fix 03 dec 09]
|-
|style="background:#cef2e0; color:black" | '''yt_color YOOOtheme'''
|Summary: [http://www.yootheme.com/ YT_color yootheme] Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. added 5 dec 09
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.yootheme.com/member-area/downloads/item/templates-15/xss-and-php-53-patches All members without an active membership can download the template patches here].'''
|-
|style="background:red; color:white" | '''TP Whois'''
|summary: [http://www.templateplazza.com/view-details/tpwhois/183-component-tp-whois-for-joomla-1.5.x.html TP Whois ] Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Added 3 december {{JVer|1.5}}
|[http://www.exploit-db.com Refrence]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_job'''
|Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec
|[http://xforce.iss.net/xforce/xfdb/54626 Reference]
| style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''JQuarks'''
|Summary: [http://extensions.joomla.org/extensions/contacts-and-feedback/quiz-a-surveys/10590 JQuarks] SQL injection vulnerability {{JVer|1.5}} added 8th dec 09
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | [http://www.iptechinside.com/labs/projects/list_files/jquarks Developer Update ]
|-
|style="background:red; color:white" | '''Mamboleto Component 2.0 RC3'''
|Summary: [http://www.fernandosoares.com.br/index.php?option=com_docman&task=cat_view&gid=28&Itemid=28 Mamboleto Component 2.0 RC3]SQL injection vulnerability {{JVer|1.5}} added 12 December
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
| style="background:#cef2e0; color:black" | ''' JS JOBS'''
|Summary [http://www.joomshark.com/index.php?option=com_content&view=article&id=4&Itemid=8 JS JOBS] Joomla Component com_jsjobs 1.0.5.6 SQL Injection Vulnerabilities {{JVer|1.5}} added 12 December
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.joomsky.com/index.php?option=com_rokdownloads&view=folder&Itemid=3&id=2:components Developer update 1.0.5.7]'''
|-
|style="background:#cef2e0; color:black" | '''corePHP JPhoto'''
|Summary: [http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10365 'corePHP' JPhoto]SQL injection vulnerability {{JVer|1.5}} added 12 December
|[http://secunia.com/advisories/37676/ Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.corephp.com/blog/uber-fast-jphoto-security-release/ Developer Upgrade]'''
|-
|style="background:#cef2e0; color:black" | '''com_virtuemart'''
|Summary: "com_virtuemart" http://virtuemart.net/ '''Version : 1.0''' Vulnerability : SQL injection added Date : 07- dec -09 {{JVer|1.5}}
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" |[http://virtuemart.net/ latest version]
|-
|style="background:red; color:white" | ''' Kide Shoutbox'''

|Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08
|[[NIST:CVE-2009-4232 | CVE-2009-4232]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | ''' JoomPortfolio Component'''
|Summary: [http://www.joomplace.com/joomportfolio/joomportfolio.html JoomPortfolio] Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18 {{JVer|1.5}}
|[http://secunia.com/advisories/37838/ Reporting Site]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''City Portal (templates?)'''
|Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18
|[http://www.exploit-db.com Reference] Possibly this [http://www.youjoomla.com/jclick-city-portal-joomla-template.html tempate]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Event Manager'''
|Summary: [http://www.jforjoomla.com/Joomla-Components/event-manager-15-component.html Event Manager] Blind SQL Injection Vulnerability EDB-ID: 10549
added: 2009-12-18
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | com_zcalendar
|Summary: com_zcalendar Blind SQL-injection Vulnerability
EDB-ID: 10548 added: 2009-12-18
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_acmisc'''
|Summary: com_acmisc SQL injection added: 2009-12-18
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''com_digistore'''
|Summary: com_digistore SQL injection EDB-ID: 10546 added: 2009-12-18 {{JVer|1.5}}
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.ijoomla.com/ijoomla-digistore/ijoomla-digistore/ijoomla-digistore-change-log/ Update change log] '''
|-
|style="background:red; color:white" | '''com_jbook'''
|Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18 {{JVer|1.0}}
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_personel'''
|Summary: com_personel component for Joomla! is vulnerable to SQL injection.
|[http://xforce.iss.net/xforce/xfdb/54903 iss.net reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''JEEMA Article Collection'''
|Summary: [http://www.forum.jeema.net/component/content/article/4-jeema-article-collection-component/13-about-jeema-article-collection.html JEEMA Article Collection] Input passed via the "catid" parameter to index.php (when "option" is set to "com_jeemaarticlecollection" and "view" is set to "longlook") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. version 1.0.0.1 {{JVer|1.5}} added 22 dec 09
| [http://secunia.com/advisories/37865/ secunia]
|style="background:#cef2e0; color:white" | [http://www.jeema.net/downloads/free-joomla-extensions/joomla-components/12-jeema-joomla-article-collection.htm fixed the same in the version v102.]
|-
|style="background:red; color:white" | '''HotBrackets Tournament Brackets '''
|Summary: The [http://extensions.joomla.org/extensions/sports-a-games/sports/10746 HotBrackets Tournament Brackets] component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. {{JVer|1.5}} added 22 dec
|[http://www.securityfocus.com/bid/37439/ Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Car Manager'''
|Summary: http://webformatique.com/ com_carman Cross Site Scripting Vulnerability added 24 december 09{{JVer|1.5}}
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" |'''Schools component'''
|Summary: The 'com_schools' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|[http://www.securityfocus.com/bid/37469 Reference] added 24 dec 09
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''webcamxp'''
|[http://extensions.joomla.org/extensions/communication/video-conference/4490 com_webcamxp] Cross Site Scripting Vulnerabilities Last version 2008 {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''beeheard'''
|[http://extensions.joomla.org/extensions/contacts-and-feedback/testimonials-a-suggestions/10283 beeheard] Blind SQL injection Vulnerability {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://beeheard.cmstactics.com/change-log Version 1.4.2] 04 Jan'''
|-
|style="background:red; color:white" | '''jm-recommend'''
|jm-recommendCross Site Scripting Vulnerabilities. unable to locate on jed. {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | facileforms
| com_facileforms Cross Site Scripting Vulnerabilities. unable to locate on jed. Product considered retired. {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''adagency'''
| [http://www.ijoomla.com/ijoomla-ad-agency/ijoomla-ad-agency/index/ adagency ]Vulnerabilities {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_intuit'''
|[http://www.san-diego-web-designer.com/new-file-download/item/root/aboutimage-igateway-for-joomla.html com_intuit]Local File Inclusion Vulnerability {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.securityfocus.com/bid/37494/discuss Retired]'''
|-
|style="background:red; color:white" | '''MemoryBook'''
|[http://extensions.joomla.org/extensions/calendars-a-events/birthdays-a-historic-events/10868 MemoryBook 1.2] Multiple Vulnerabilities. requires: magic quotes OFF, user account {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''qpersonel'''
|[http://extensions.joomla.org/extensions/directory-a-documentation/thematic-directory/7049 qpersonel ] Cross Site Scripting Vulnerabilities {{JVer|1.0}}[[Image:http://extensions.joomla.org/images/jed/compat_15_legacy.png]] Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''opryknings point'''
|com_oprykningspoint_mc Cross Site Scripting Vulnerabilities {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''trabalhe conosco'''
|com_trabalhe_conosco Cross Site Scripting Vulnerabilities {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''DhForum'''
|com_dhforum SQL Injection Vulnerability. considered retired/EOL Dec. 27 {{JVer|1.0}}1.5 legacy
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |'''com_morfeoshow'''
|[http://extensions.joomla.org/extensions/photos-a-images/photo-gallery-add-ons/9810 morfeoshow] this was a false report
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:black" | ''' false report'''
|-
|style="background:#cef2e0; color:black" |'''Run Digital Download rd-download'''
|[http://extensions.joomla.org/extensions/directory-a-documentation/downloads/7838 RD Download] Local File Disclosure Vulnerability {{JVer|1.5}} Dec. 30 Version affected not disclosed.
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | [http://extensions.joomla.org/extensions/directory-a-documentation/downloads/7838 Version 0.9 relased]
|-
|
|
|
|
|}
== November 2009 Compiled Vulnerability Reports. RESOLVED ONLY ==

Items are not in any particular order.

{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Reference Link'''
! '''Extension Update Link'''
|-
| style="background:red; color:white" | '''com_djcatalog'''
| Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog ('''com_djcatalog''') component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009
CVSS Severity: 6.8 (MEDIUM)
| [[NIST:CVE-2009-3661|CVE-2009-3661]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_soundset'''
| Summary: SQL injection vulnerability in the Soundset ('''com_soundset''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3644|CVE-2009-3644]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" |'''com_sportfusion'''
| Summary: SQL injection vulnerability in the Kinfusion SportFusion ('''com_sportfusion''') component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3491|CVE-2009-3491]]
| style="background:red; color:white" |'''Not Known'''
|-
| style="background:red; color:white" | '''com_icrmbasic'''
| Summary: A certain interface in the iCRM Basic ('''com_icrmbasic''') component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3481|CVE-2009-3481]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_mytube'''
| Summary: SQL injection vulnerability in the MyRemote Video Gallery ('''com_mytube''') component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3446|CVE-2009-3446]]
| style="background:red; color:white" | '''Not Known'''
|-
| '''com_facebook'''
| Summary: SQL injection vulnerability in the JoomlaFacebook ('''com_facebook''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3438|CVE-2009-3438]]
| [http://extensions.joomla.org/extensions/4446/details JED entry.] [http://forge.joomla.org/gf/project/joomla-facebook/ Download site] Developer states reports not proven 24/07/10
|-
| style="background:red; color:white" | '''com_tupinambis'''
| Summary: SQL injection vulnerability in the Tupinambis ('''com_tupinambis''') component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3434|CVE-2009-3434]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_hbssearch'''
| Summary: Cross-site scripting ('''XSS''') vulnerability in the Hotel Booking Reservation System ('''aka HBS or com_hbssearch''') component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009
CVSS Severity: 4.3 ('''MEDIUM''')
| [[NIST:CVE-2009-3368|CVE-2009-3368]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_hbssearch'''
| Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System ('''aka HBS or com_hbssearch''') component for Joomla! allow remote attackers to execute arbitrary SQL commands via the ('''1''') h_id, ('''2''') id, and ('''3''') rid parameters to longDesc.php, and the h_id parameter to ('''4''') detail.php, ('''5''') detail1.php, ('''6''') detail2.php, ('''7''') detail3.php, ('''8''') detail4.php, ('''9''') detail5.php, ('''10''') detail6.php, ('''11''') detail7.php, and ('''12''') detail8.php, different vectors than [[NIST:CVE-2008-5865|CVE-2008-5865]], [[NIST:CVE-2008-5874|CVE-2008-5874]], and [[NIST:CVE-2008-5875|CVE-2008-5875]].
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3357|CVE-2009-3357]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''TurtuShout'''
| Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3335|CVE-2009-3335]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jinc'''
| Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component ('''aka JINC or com_jinc''') component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3334|CVE-2009-3334]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_surveymanager'''
| Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager ('''com_surveymanager''') component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3325|CVE-2009-3325]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_album'''
| Summary: Directory traversal vulnerability in the Roland Breedveld Album ('''com_album''') component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. ('''dot dot''') in the target parameter to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3318|CVE-2009-3318]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''IXXO Cart Standalone'''
| Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3215|CVE-2009-3215]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_digifolio'''
| Summary: SQL injection vulnerability in the DigiFolio ('''com_digifolio''') component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3193|CVE-2009-3193]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_aclassf'''
| Summary: Cross-site scripting ('''XSS''') vulnerability in '''gmap.php''' in the Almond Classifieds ('''com_aclassf''') component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009
CVSS Severity: 4.3 ('''MEDIUM''')
| [[NIST:CVE-2009-3155|CVE-2009-3155]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jabode'''
| Summary: SQL injection vulnerability in Jabode horoscope extension ('''com_jabode''') for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009
CVSS Severity: 7.5 ('''HIGH''')

| [[NIST:CVE-2008-7169|CVE-2008-7169]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_gameserver'''
| Summary: SQL injection vulnerability in the Game Server ('''com_gameserver''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3063|CVE-2009-3063]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_artportal'''
| Summary: SQL injection vulnerability in the Artetics.com Art Portal ('''com_artportal''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3054|CVE-2009-3054]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_simpleshop'''
| Summary: SQL injection vulnerability in the Simple Shop Galore ('''com_simpleshop''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than [[NIST:CVE-2008-2568|CVE-2008-2568]]. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-7033|CVE-2008-7033]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_groups'''
| Summary: SQL injection vulnerability in the Permis ('''com_groups''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-2789|CVE-2009-2789]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: SQL injection vulnerability in the Live Chat ('''com_livechat''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6883|CVE-2008-6883]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: Live Chat ('''com_livechat''') component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6882|CVE-2008-6882]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: Multiple SQL injection vulnerabilities in the Live Chat ('''com_livechat''') component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to ('''1''') getChat.php, ('''2''') getChatRoom.php, and ('''3''') getSavedChatRooms.php.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6881|CVE-2008-6881]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jshop'''
| Summary: SQL injection vulnerability in the JShop ('''com_jshop''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009
CVSS Severity: 7.5 '''(HIGH)'''
| [[NIST:CVE-2009-3835|CVE-2009-3835]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black"| '''EasyBook 2.0.0rc4'''
| Summary: The Joomla component '''EasyBook 2.0.0rc4''' suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009
| [http://jeffchannell.com/Joomla/easybook-200rc4-multiple-xss-vulnerabilities.html Alert]
| style="background:#cef2e0; color:black"| '''
[http://www.kubik-rubik.de/joomla-hilfe/komponente-easybook-reloaded-joomla easybook reloaded released]
'''
|-
| style="background:red; color:white" | '''F!BB 1.5.96'''
| Summary: The Joomla component '''F!BB 1.5.96 RC''' suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009
| [http://jeffchannell.com/Joomla/fbb-1596-rc-multiple-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''Testimonial Ku 2.0 Admin Panel'''
| Summary: The Joomla component '''Testimonial Ku 2.0''' is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009
| [http://jeffchannell.com/Joomla/testimonial-ku-20-admin-panel-persistent-xss.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''MS Comment 0.8.0b'''
| Summary '''MS Comment 0.8.0b for Joomla''', a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009
| [http://jeffchannell.com/Joomla/ms-comment-080b-multiple-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''WebAmoeba Ticket System 3.0.0'''
| Summary: '''WebAmoeba Ticket System 3.0.0''', a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009
| [http://jeffchannell.com/Joomla/webamoeba-ticket-system-300-bbcode-xss.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''com_siirler'''
| Summary: SQL injection vulnerability in the '''Q-Proje Siirler Bileseni (com_siirler)''' component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3972 | CVE-2009-3972]]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''jTips (com_jtips)'''
|SUmmary:SQL injection vulnerability in the '''jTips (com_jtips)''' component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3971 |CVE-2009-3971]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''JoomClip'''
|Summary: The '''JoomClip component for Joomla!''' is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009
|[http://secunia.com/advisories/37400/ secunia.com 37400/]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Mygallery Remote SQL Injection Vulnerability'''
|Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 {{JVer|1.5}} NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM)
|[http://www.exploit-db.com]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Extreme Google Calendar'''
|Summary: '''com_gcalendar 1.1.2''' (gcid) Remote SQL Injection Vulnerability
Remote SQL Injection were identified in Google Calendar Component [http://extensions.joomla.org/extensions/calendars-a-events/calendars/4188 Extension Link] Added 27 Nov 2009
|[http://www.exploit-db.com reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''LyftenBloggie'''
| Summary: [http://www.lyften.com/products/lyftenbloggie.html LyftenBloggie] Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009
|[http://secunia.com/advisories/product/28005/ SA37499]
| [http://jeffchannell.com/Joomla/lyften-bloggie-sql-injection-fix.html Un official fix]. Developer fix not release at 30 Nov 09 ''' [http://www.lyften.com/products/lyftenbloggie/extensions/download/id-20.html 1.0.4a (last update on Dec 28, 2009)]'''
|}

== November 2009 Compiled Vulnerability Reports. ==

Items are not in any particular order.

{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Reference Link'''
! '''Extension Update Link'''
|-
| style="background:red; color:white" | '''com_djcatalog'''
| Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog ('''com_djcatalog''') component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009
CVSS Severity: 6.8 (MEDIUM)
| [[NIST:CVE-2009-3661|CVE-2009-3661]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_soundset'''
| Summary: SQL injection vulnerability in the Soundset ('''com_soundset''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3644|CVE-2009-3644]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" |'''com_sportfusion'''
| Summary: SQL injection vulnerability in the Kinfusion SportFusion ('''com_sportfusion''') component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3491|CVE-2009-3491]]
| style="background:red; color:white" |'''Not Known'''
|-
| style="background:red; color:white" | '''com_icrmbasic'''
| Summary: A certain interface in the iCRM Basic ('''com_icrmbasic''') component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3481|CVE-2009-3481]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_mytube'''
| Summary: SQL injection vulnerability in the MyRemote Video Gallery ('''com_mytube''') component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3446|CVE-2009-3446]]
| style="background:red; color:white" | '''Not Known'''
|-
| '''com_facebook'''
| Summary: SQL injection vulnerability in the JoomlaFacebook ('''com_facebook''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3438|CVE-2009-3438]]
| [http://extensions.joomla.org/extensions/4446/details JED entry.] [http://forge.joomla.org/gf/project/joomla-facebook/ Download site] Developer states reports not proven 24/07/10
|-
| style="background:red; color:white" | '''com_tupinambis'''
| Summary: SQL injection vulnerability in the Tupinambis ('''com_tupinambis''') component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3434|CVE-2009-3434]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_hbssearch'''
| Summary: Cross-site scripting ('''XSS''') vulnerability in the Hotel Booking Reservation System ('''aka HBS or com_hbssearch''') component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009
CVSS Severity: 4.3 ('''MEDIUM''')
| [[NIST:CVE-2009-3368|CVE-2009-3368]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_hbssearch'''
| Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System ('''aka HBS or com_hbssearch''') component for Joomla! allow remote attackers to execute arbitrary SQL commands via the ('''1''') h_id, ('''2''') id, and ('''3''') rid parameters to longDesc.php, and the h_id parameter to ('''4''') detail.php, ('''5''') detail1.php, ('''6''') detail2.php, ('''7''') detail3.php, ('''8''') detail4.php, ('''9''') detail5.php, ('''10''') detail6.php, ('''11''') detail7.php, and ('''12''') detail8.php, different vectors than [[NIST:CVE-2008-5865|CVE-2008-5865]], [[NIST:CVE-2008-5874|CVE-2008-5874]], and [[NIST:CVE-2008-5875|CVE-2008-5875]].
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3357|CVE-2009-3357]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''TurtuShout'''
| Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3335|CVE-2009-3335]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jinc'''
| Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component ('''aka JINC or com_jinc''') component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3334|CVE-2009-3334]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_surveymanager'''
| Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager ('''com_surveymanager''') component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3325|CVE-2009-3325]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_album'''
| Summary: Directory traversal vulnerability in the Roland Breedveld Album ('''com_album''') component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. ('''dot dot''') in the target parameter to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3318|CVE-2009-3318]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''IXXO Cart Standalone'''
| Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3215|CVE-2009-3215]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_digifolio'''
| Summary: SQL injection vulnerability in the DigiFolio ('''com_digifolio''') component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3193|CVE-2009-3193]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_aclassf'''
| Summary: Cross-site scripting ('''XSS''') vulnerability in '''gmap.php''' in the Almond Classifieds ('''com_aclassf''') component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009
CVSS Severity: 4.3 ('''MEDIUM''')
| [[NIST:CVE-2009-3155|CVE-2009-3155]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jabode'''
| Summary: SQL injection vulnerability in Jabode horoscope extension ('''com_jabode''') for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009
CVSS Severity: 7.5 ('''HIGH''')

| [[NIST:CVE-2008-7169|CVE-2008-7169]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_gameserver'''
| Summary: SQL injection vulnerability in the Game Server ('''com_gameserver''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3063|CVE-2009-3063]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_artportal'''
| Summary: SQL injection vulnerability in the Artetics.com Art Portal ('''com_artportal''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-3054|CVE-2009-3054]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_simpleshop'''
| Summary: SQL injection vulnerability in the Simple Shop Galore ('''com_simpleshop''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than [[NIST:CVE-2008-2568|CVE-2008-2568]]. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-7033|CVE-2008-7033]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_groups'''
| Summary: SQL injection vulnerability in the Permis ('''com_groups''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2009-2789|CVE-2009-2789]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: SQL injection vulnerability in the Live Chat ('''com_livechat''') component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6883|CVE-2008-6883]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: Live Chat ('''com_livechat''') component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6882|CVE-2008-6882]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_livechat'''
| Summary: Multiple SQL injection vulnerabilities in the Live Chat ('''com_livechat''') component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to ('''1''') getChat.php, ('''2''') getChatRoom.php, and ('''3''') getSavedChatRooms.php.
Published: 07/30/2009
CVSS Severity: 7.5 ('''HIGH''')
| [[NIST:CVE-2008-6881|CVE-2008-6881]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:red; color:white" | '''com_jshop'''
| Summary: SQL injection vulnerability in the JShop ('''com_jshop''') component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009
CVSS Severity: 7.5 '''(HIGH)'''
| [[NIST:CVE-2009-3835|CVE-2009-3835]]
| style="background:red; color:white" | '''Not Known'''
|-
| style="background:#cef2e0; color:black"| '''EasyBook 2.0.0rc4'''
| Summary: The Joomla component '''EasyBook 2.0.0rc4''' suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009
| [http://jeffchannell.com/Joomla/easybook-200rc4-multiple-xss-vulnerabilities.html Alert]
| style="background:#cef2e0; color:black"| '''
[http://www.kubik-rubik.de/joomla-hilfe/komponente-easybook-reloaded-joomla easybook reloaded released]
'''
|-
| style="background:red; color:white" | '''F!BB 1.5.96'''
| Summary: The Joomla component '''F!BB 1.5.96 RC''' suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009
| [http://jeffchannell.com/Joomla/fbb-1596-rc-multiple-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''Testimonial Ku 2.0 Admin Panel'''
| Summary: The Joomla component '''Testimonial Ku 2.0''' is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009
| [http://jeffchannell.com/Joomla/testimonial-ku-20-admin-panel-persistent-xss.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''MS Comment 0.8.0b'''
| Summary '''MS Comment 0.8.0b for Joomla''', a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009
| [http://jeffchannell.com/Joomla/ms-comment-080b-multiple-vulnerabilities.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''WebAmoeba Ticket System 3.0.0'''
| Summary: '''WebAmoeba Ticket System 3.0.0''', a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009
| [http://jeffchannell.com/Joomla/webamoeba-ticket-system-300-bbcode-xss.html Alert]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''com_siirler'''
| Summary: SQL injection vulnerability in the '''Q-Proje Siirler Bileseni (com_siirler)''' component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3972 | CVE-2009-3972]]
| style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''jTips (com_jtips)'''
|SUmmary:SQL injection vulnerability in the '''jTips (com_jtips)''' component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009
| [[NIST:CVE-2009-3971 |CVE-2009-3971]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''JoomClip'''
|Summary: The '''JoomClip component for Joomla!''' is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009
|[http://secunia.com/advisories/37400/ secunia.com 37400/]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Mygallery Remote SQL Injection Vulnerability'''
|Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 {{JVer|1.5}} NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM)
|[http://www.exploit-db.com]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Extreme Google Calendar'''
|Summary: '''com_gcalendar 1.1.2''' (gcid) Remote SQL Injection Vulnerability
Remote SQL Injection were identified in Google Calendar Component [http://extensions.joomla.org/extensions/calendars-a-events/calendars/4188 Extension Link] Added 27 Nov 2009
|[http://www.exploit-db.com reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''LyftenBloggie'''
| Summary: [http://www.lyften.com/products/lyftenbloggie.html LyftenBloggie] Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009
|[http://secunia.com/advisories/product/28005/ SA37499]
| [http://jeffchannell.com/Joomla/lyften-bloggie-sql-injection-fix.html Un official fix]. Developer fix not release at 30 Nov 09 ''' [http://www.lyften.com/products/lyftenbloggie/extensions/download/id-20.html 1.0.4a (last update on Dec 28, 2009)]'''
|}

----

== December 2009 Compiled Reports ==
{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Reference Link'''
! '''Extension Update Link'''
|-
|style="background:red; color:white" | '''Omilen Photo Gallery'''
|Summary: Directory traversal vulnerability in the [http://extensions.joomla.org/extensions/photos-&-images/photo-flash-gallery/6373/details Omilen Photo Gallery] (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
Published: 12/04/2009
|[[NIST:CVE-2009-4202 | CVE-2009-4202]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''Seminar'''
|Summary: SQL injection vulnerability in the [http://seminar.vollmar.ws/ Seminar] (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.
Published: 12/04/2009
|[[NIST:CVE-2009-4200 | CVE-2009-4200]]
|style="background:#cef2e0; color:black" | ''' released V1.29, released'''
|-
|style="background:red; color:white" | '''ProofReader'''
|Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM)
| [[NIST:CVE-2009-4157 | CVE-2009-4157]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''D4J eZine'''
|Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH)
|[[NIST:CVE-2009-4094 | CVE-2009-4094]]
|style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''Quick News'''
| Summary: The Joomla [http://joomlacode.org/gf/project/quicknews/ Quick News component] suffers from a remote SQL injection vulnerability. added 1st Dec 09
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''mojoblog'''
|Summary [http://www.joomlify.com/files/mojoblog/ MojoBlog] Multiple Remote File Include Vulnerability added 1st Dec 09 {{JVer|1.5}}
|[http://securityreason.com/exploitalert/7509 7509]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''TP Whois'''
|summary: [http://www.templateplazza.com/view-details/tpwhois/183-component-tp-whois-for-joomla-1.5.x.html TP Whois ] Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Added 3 december {{JVer|1.5}}
|[http://www.exploit-db.com Refrence]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_job'''
|Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec
|[http://xforce.iss.net/xforce/xfdb/54626 Reference]
| style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Mamboleto Component 2.0 RC3'''
|Summary: [http://www.fernandosoares.com.br/index.php?option=com_docman&task=cat_view&gid=28&Itemid=28 Mamboleto Component 2.0 RC3]SQL injection vulnerability {{JVer|1.5}} added 12 December
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | ''' Kide Shoutbox'''
|Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08
|[[NIST:CVE-2009-4232 | CVE-2009-4232]]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | ''' JoomPortfolio Component'''
|Summary: [http://www.joomplace.com/joomportfolio/joomportfolio.html JoomPortfolio] Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18 {{JVer|1.5}}
|[http://secunia.com/advisories/37838/ Reporting Site]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''City Portal (templates?)'''
|Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18
|[http://www.exploit-db.com Reference] Possibly this [http://www.youjoomla.com/jclick-city-portal-joomla-template.html tempate]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Event Manager'''
|Summary: [http://www.jforjoomla.com/Joomla-Components/event-manager-15-component.html Event Manager] Blind SQL Injection Vulnerability EDB-ID: 10549
added: 2009-12-18
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | com_zcalendar
|Summary: com_zcalendar Blind SQL-injection Vulnerability
EDB-ID: 10548 added: 2009-12-18
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_acmisc'''
|Summary: com_acmisc SQL injection added: 2009-12-18
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_jbook'''
|Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18 {{JVer|1.0}}
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_personel'''
|Summary: com_personel component for Joomla! is vulnerable to SQL injection.
|[http://xforce.iss.net/xforce/xfdb/54903 iss.net reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''HotBrackets Tournament Brackets '''
|Summary: The [http://extensions.joomla.org/extensions/sports-a-games/sports/10746 HotBrackets Tournament Brackets] component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. {{JVer|1.5}} added 22 dec
|[http://www.securityfocus.com/bid/37439/ Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Car Manager'''
|Summary: http://webformatique.com/ com_carman Cross Site Scripting Vulnerability added 24 december 09{{JVer|1.5}}
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" |'''Schools component'''
|Summary: The 'com_schools' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|[http://www.securityfocus.com/bid/37469 Reference] added 24 dec 09
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''webcamxp'''
|[http://extensions.joomla.org/extensions/communication/video-conference/4490 com_webcamxp] Cross Site Scripting Vulnerabilities Last version 2008 {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''jm-recommend'''
|jm-recommendCross Site Scripting Vulnerabilities. unable to locate on jed. {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | facileforms
| com_facileforms Cross Site Scripting Vulnerabilities. unable to locate on jed. Product considered retired. {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''adagency'''
| [http://www.ijoomla.com/ijoomla-ad-agency/ijoomla-ad-agency/index/ adagency ]Vulnerabilities {{JVer|1.5}} Dec 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''com_intuit'''
|[http://www.san-diego-web-designer.com/new-file-download/item/root/aboutimage-igateway-for-joomla.html com_intuit]Local File Inclusion Vulnerability {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.securityfocus.com/bid/37494/discuss Retired]'''
|-
|style="background:red; color:white" | '''MemoryBook'''
|[http://extensions.joomla.org/extensions/calendars-a-events/birthdays-a-historic-events/10868 MemoryBook 1.2] Multiple Vulnerabilities. requires: magic quotes OFF, user account {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''qpersonel'''
|[http://extensions.joomla.org/extensions/directory-a-documentation/thematic-directory/7049 qpersonel ] Cross Site Scripting Vulnerabilities {{JVer|1.0}}[[Image:http://extensions.joomla.org/images/jed/compat_15_legacy.png]] Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''opryknings point'''
|com_oprykningspoint_mc Cross Site Scripting Vulnerabilities {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''trabalhe conosco'''
|com_trabalhe_conosco Cross Site Scripting Vulnerabilities {{JVer|1.5}} Dec. 27
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''DhForum'''
|com_dhforum SQL Injection Vulnerability. considered retired/EOL Dec. 27 {{JVer|1.0}}1.5 legacy
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|}

----

== January 2010 Reported Vulnerable Extensions ==

'''Please check with the extension publisher in case of any questions over the security of their product.'''
Report Vulnerable extensions either in the [[jforum:432]] security topic or the [http://forum.joomla.org/viewforum.php?f=470 extensions] topic clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond.
''This list is change protected, for updates or editing requests [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance]
''

[http://docs.joomla.org/Vulnerable_Extensions_List Back To Top]

{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Reference Link'''
! '''Extension Update Link'''
|-
|style="background:#cef2e0; color:black" |JvideoDirect
|Summary: [http://extensions.joomla.org/extensions/multimedia/video-players-a-gallery/9501 Jvideodirect] SQLi Jan 29
|
|[http://www.jvideodirect.com/ Update version 2.5]
|-
|style="background:#cef2e0; color:black" |'''JEvent search plugin'''
|Summary: JEvent search plugin for [http://extensions.joomla.org/extensions/calendars-a-events/events/95 JEvent] SQLi reported Jan 29
|
|style="background:#cef2e0; color:white" | ''' [http://www.jevents.net/forum/viewtopic.php?f=17&t=3910#p15526 upgrade to 1.5.3b]'''
|
|-
|style="background:#cef2e0; color:black" |'''Kunena'''
|Summary: [http://extensions.joomla.org/extensions/communication/forum/7256/details kunena] re reported suffering SQLi in version 1.5.9 Jan 29 Confirmation Required '''Now found to be malicious'''
|
|style="background:#cef2e0; color:black" | ''' [http://www.kunena.com/blog/19-developer-blog/51-kunena-157-security-release-now-available Versions 1.5.5 and below only]'''
|
|-
|style="background:red; color:white" |'''JE Quiz'''
|Summary : http://extensions.joomla.org/extensions/contacts-and-feedback/quiz-a-surveys/11212 JeQuiz SQLi reported 29 Jan
|
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black"" |'''idoblog'''
|summary: exploitable due to open file permissions. 28 Jan
|Private Notification
|style="background:#cef2e0; color:black" | ''' [http://idojoomla.com/news.html build 35 released] '''
|-
|style="background:#cef2e0; color:black" |'''ccnewsletter'''
|Summary [http://extensions.joomla.org/extensions/5112/details ccnewsletter Directory Traversal Vulnerability] Jan 28
|Private Notification
|style="background:#cef2e0; color:white" | ''' [http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html version 1.0.6 released 29 Jan]'''
|-
|style="background:#cef2e0; color:white" |'''Virtuemart 1.1.4'''
|Summary: [http://extensions.joomla.org/extensions/e-commerce/shopping-cart/129 virtuemart] Input var order_status_id is vulnerable to SQLi NB Requires Higher Level access before exploiting. Jan 27
|
|style="background:#cef2e0; color:black" | ''' [http://forum.joomla.org/viewtopic.php?p=2027005#p2027005 developer patches]'''
|-
|style="background:#cef2e0; color:black" |'''JBDiary'''
|Summary: [http://extensions.joomla.org/extensions/calendars-a-events/events/11009 JBDiary] BLIND SQL Injection Vulnerabilities Jan 24 [http://www.jb-soft.nl/ http://www.jb-soft.nl/]
|
|style="background:#cef2e0; color:white" | ''' [http://www.jb-soft.nl/index.php?option=com_content&view=article&id=64 Developer Update 27 Jan]'''
|-
|style="background:#cef2e0; color:black" |'''JbPublishDownFp'''
|Sumary: [http://extensions.joomla.org/extensions/news-production/timed-content/6496 JbPublishDownFp] SQL Injection Vulnerability Jan 24 [http://www.jb-soft.nl http://www.jb-soft.nl]
|
|style="background:#cef2e0; color:white" |''' [http://www.jb-soft.nl/index.php?option=com_content&view=article&id=64 Developer Update Jan 27]'''
|-
|style="background:red; color:white" |'''com_casino'''
|Summary: [http://extensions.joomla.org/extensions/sports-a-games/tips-a-betts com_casino]
SQL Injection Vulnerabilities Jan24
|
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |'''Mochigames'''
|Summary: [http://extensions.joomla.org/extensions/search/mochigames com_Mochigames]
SQL Injection Vulnerabilities Jan24
|
|style="background:#cef2e0; color:white" | ''' [http://www.yoflash.com/download.html mochigames_alpha052 Released]'''
|-
|style="background:red; color:white" |'''ContentBlogList'''
|Summary: [http://extensions.joomla.org/extensions/news-production/blog/10989 com_ContentBlogList] SQL Injection Vulnerability Jan 23
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |MailChimp for Joomla 1.5
|Summary: [http://extensions.joomla.org/extensions/bridges/mailing-a-newsletter-bridges/7836 MailChimp for Joomla 1.5] jan 17
|Developer Statement
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''JoomlaXML'''
|Summary: [http://extensions.joomla.org/extensions/tools/design-tools/5020 JoomlaXML] malicious code insertion
|
|style="background:red; color:white" | ''' Not Known'''
|-
| style="background:red; color:white" | '''JVClouds3D SWF module'''
|[http://joomlapro.ru/3djvclouds JVClouds3D SWF module] Cross Site Scripting . jan 14
|[http://xforce.iss.net/xforce/xfdb/55535 xforce]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''JVClouds3D'''
|[http://joomlapro.ru/3djvclouds JVClouds3D module] Cross Site Scripting . jan 14
|[http://xforce.iss.net/xforce/xfdb/55534 xforce]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''JA Showcase'''
|[http://www.joomlart.com/addons/components_and_modules/ja_showcase.html JA Showcase component] Directory Traversal jan 14
|[http://xforce.iss.net/xforce/xfdb/55512 xforce]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''jprojects'''
|Summary: Unknown Author com_j-projects Blind SQL Injection Vulnerability. Jan 10 detail update
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''jEmbed-Embed Anything'''
|[http://www.joshprakash.com/index.php?option=com_docman&task=doc_details&gid=70 jEmbed-Embed Anything] A vulnerability has been discovered in the jEmbed-Embed Anything component for Joomla, which can be exploited by malicious people to conduct SQL injection attacks. Jan 10
|[http://secunia.com/advisories/38112 Secunia Advisory: SA38112]
|style="background:red; color:white" | [http://extensions.joomla.org/extensions/3699/details Product considered retired]
|-
|style="background:#cef2e0; color:black" |'''perchagallery '''
|Summary: perchagallery [http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10350 com_perchagallery] SQL Injection Vulnerability Jan 7
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.percha.com/index.php?option=com_phocadownload&view=file&id=22:1.5&Itemid=20 Developer Update 1.5b]'''
|-
|style="background:#cef2e0; color:black" | '''CARTwebERP'''
|Summary: [http://extensions.joomla.org/extensions/bridges/e-commerce-bridges/8753 CARTwebERP] Local File Inclusion Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://extensions.joomla.org/extensions/bridges/e-commerce-bridges/8753 1.56.76 (last update on Jan 11, 2010)]'''
|-
|style="background:#cef2e0; color:black" | '''JoomlaBibleStudy'''
|Summary: [http://extensions.joomla.org/extensions/miscellaneous/religion/3461 JoomlaBibleStudy] LFI Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | '''[http://joomlabiblestudy.org/invisible-downloads/category/3-component.html Developer reported update]'''
|-
|style="background:#cef2e0; color:black" | '''com_bfsurvey_basic and pro'''
|Summary: [http://www.tamlyncreative.com.au/software/ BFsurvey] SQL Injection Vulnerability ,LFI Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.tamlyncreative.com.au/software/forum/index.php?topic=641.0 Developer Update announcement]'''
|-
|style="background:red; color:white" | '''Alfresco'''
|Summary: SQL Injection Vulnerability. Not believed to be Joomlatools extension Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''abbrev'''
|Summary: [http://extensions.joomla.org/extensions/directory-a-documentation/glossary-a-dictionary/4965 abbrev] Local File Inclusion Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''countries'''
|Summary: [http://extensions.joomla.org/extensions/miscellaneous/development/6553 countries] SQL Injection Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''Dedicated Component com_tpjobs'''
|Summary: [http://www.templateplazza.com/ tpjobs] SQL Injection Vulnerability unable to locate files probably template plaza Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:#cef2e0; color:white" | ''' [http://www.templateplazza.com/extensions-updates/tpjobs-component-update-v-1.1.html Developer Update] '''
|-
|style="background:red; color:white" | '''Component com_doqment'''
|SQL Injection Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''Component com_otzivi'''
|Blind SQL Injection Vulnerability Jan. 3
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" | '''aprice'''
|Summary: [http://adeptweb.info/component/option,com_aprice/Itemid,109/ com_aprice] Component 'analog' Parameter SQL Injection Vulnerability
|[http://www.securityfocus.com/bid/37575 Report]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:red; color:white" |'''cartikads'''
|Summary: [http://www.cartikahosting.com com_cartikads] Remote File Upload Vulnerability
'''Mambo''' Open Source ads management component
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''Docman seller'''
|Summary: [http://extensions.joomla.org/extensions/e-commerce/subscriptions/5000 Document seller] Input passed via the "id" parameter to index.php (when "option" is set to "com_dm_orders", "task" is set to "order_form", and "payment_method" is set to "Paypal") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
|[http://secunia.com/advisories/38024/ secunia]
|style="background:#cef2e0; color:white" | [http://extensions.joomla.org/extensions/e-commerce/subscriptions/5000 Updated 10th Jan]
|-
|style="background:#cef2e0; color:black" | '''ozio gallery'''
|summary: [http://extensions.joomla.org/extensions/photos-a-images/photo-flash-gallery/4883 Ozio Gallery2] SQLi eploit
|[http://www.viruslist.com/en/advisories/37974 Reference]
|style="background:#cef2e0; color:white" |[http://oziogallery.joomla.it/index.php?option=com_content&view=article&id=62%3Anuova-ozio-gallery-23-aggiornamento-di-sicurezza&catid=2%3Anotizie&Itemid=13&lang=en developer update Jan 11]
|-
|style="background:#cef2e0; color:black" | '''RD-Autos Free'''
|[http://extensions.joomla.org/extensions/vertical-markets/vehicles/5458 RD-Autos Free ] This version is now commercial not free
|Private advisory to JED Jan 11
|style="background:red; color:white" | ''' Product Retired and replaced'''
|-
|style="background:red; color:white" | '''DailyMeals'''
|Summary: [http://extensions.joomla.org/extensions/vertical-markets/food-a-beverage/4764 dailymeals] Local File Inclusion Vulnerability Jan 02
|[http://www.exploit-db.com Reference]
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" | '''RD-Autos Pro'''
|[http://extensions.joomla.org/extensions/vertical-markets/vehicles/6357 RD Autos Pro]
|Private advisory to JED Jan 11
|style="background:#cef2e0; color:black" | ''' Upgrade to Latest version be 2.0.2'''
|-
|
|
|
|
|}

----
[[Category:Security]]
[[Category:Component Management]]

Vulnerable Extensions List

2011-07-15T13:03:37Z

CirTap: Reverted edits by CirTap (talk) to last revision by Mandville

{{RightTOC}}
'''List prior to Jnuary 2010 ([[Archived vel|now archived]])''' Please check here also.

Please also check the [[Investigation of exploits|Extension Investigation List]].

== Check and Report. ==
'''Please check with the extension publisher in case of any questions over the security of their product.'''
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond.
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] are the main editors
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly

== How to use this list ==
'''Items will be removed after a suitable period and not on resolution'''
All known vulnerable extensions are the listed in the first column. Any in a red box are where we have not been given a fix for. Alert Advisory details in the centre column .
Finally a link to the notice about any update with link or '''Not Known''' where none is known.

'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]
* We do not list BETA products, or extensions for J1.0.x

== Developers - How to get yourself removed from the VEL ==

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

* '''If JED listed'''

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page

6- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website

VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here]

* '''If not JED listed.'''
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.

== February 2010 and onwards Reported Vulnerable Extensions ==
<startFeed />

'''Please check with the extension publisher in case of any questions over the security of their product.'''
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List_0210#Codes_used codes]
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly

{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Date Added'''
! class="unsortable" |'''Extension Update Link & Date'''
|-
|style="background:red; color:white" |

== Sobi ==
|SQLI -
|130711
|[http://www.sigsiu.net/changelog developer fix and update statement]
|-
|style="background:#cef2e0; color:black" |

== fabrik ==
|sqli
|120711
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]
|-
|

== xmap ==
|sqli 1.2.11
|120711
|upgrade to 1.2.12
|-
|style="background:red; color:white" |

== Atomic Gallery ==
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery]
|110711
|
|-
|

== myApi ==
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.]
|020711
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]
|-
|style="background:red; color:white" |

== mdigg ==
|SQL I (not listed in JED)
|020711
|
|-
|style="background:#cef2e0; color:black" |

== Calc Builder ==
|sqli + ID
|180611
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]
|-
|style="background:red; color:white" |

== Cool Debate ==
|Cool Debate 1.03 LFI
|
|
|-
|style="background:red; color:white" |

== ==
|
|
|
|-
|style="background:#cef2e0; color:black" |

== Scriptegrator Plugin 1.5.5==
|LFI
|140611
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6
|-
|style="background:#cef2e0; color:black" |

== Joomnik Gallery ==
|SQLi
|
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]
|-
|style="background:#cef2e0; color:black" |

== JMS fileseller ==
|LFI
|0611
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]
|-
|style="background:#cef2e0; color:black" |

== sh404SEF ==
|low-level XSS security issue
|300511
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]
|-
|style="background:#cef2e0; color:black" |

== JE Story submit ==
|LFI/RFI
|
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]
|-
|style="background:red; color:white" |

== FCKeditor ==
|File Upload Vulnerability
|230511
|
|-
|style="background:red; color:white" |

== KeyCaptcha ==
|Private report under investigation
|190511
|
|-
|style="background:red; color:white" |

== Ask A Question AddOn v1.1 ==
|SQLi
|160511
|
|-
|style="background:#cef2e0; color:black" |

== Global Flash Gallery ==
|flash-gallery.com xss
|130511
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]
|-
|style="background:#cef2e0; color:black" |

== com_google ==
|LFI [http://freejoomlacomponent.appspot.com/ com_google]
|080511
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]
|-
|style="background:#cef2e0; color:black" |

== docman ==
|com-docman Input Validation Error
|160511
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]
|-
|style="background:#cef2e0; color:black" |

== Newsletter Subscriber ==
|XSS
|120511
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]
|-
|style="background:#cef2e0; color:black" |

== Akeeba ==
|akkeba backup and joomlapack
|170411
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]
|-
|style="background:#cef2e0; color:black" |

== Facebook Graph Connect ==
|SID. call home device with user credentials
|120411
|[http://www.sikkimonline.info/security-notice dev update notice]
|-
|style="background:#cef2e0; color:black" |

== booklibrary ==
|SQLi ordasoft booklibrary
|180311
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]
|-
|style="background:red; color:white" |

== semantic ==
|com semantic http://www.scms.es/joomla creates hidden admin users
|150311
|
|-
|

== JOMSOCIAL 2.0.x 2.1.x ==
|SID, open folders
|120311
|
|-
|style="background:#cef2e0; color:black" |

== flexicontent ==
|forced 777, malicious files
|250311
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]
|-
|style="background:red; color:white" |

== jLabs Google Analytics Counter ==
|jLabs Google Analytics Counter SID
|
|
|-
|
== xcloner ==
|Unspecified
|260211
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]
|-
|style="background:#cef2e0; color:black" |

== smartformer ==
|RFI
|230211 (repeat of 041110)
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]
|-
|style="background:#cef2e0; color:black" |

== xmap 1.2.10 ==
|Malicious payload in zip
|230211
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode]
|-
|style="background:#cef2e0; color:black" |

== Frontend-User-Access 3.4.1 ==
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI
|030211
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]
|-
|style="background:#cef2e0; color:black" |

== com properties 7134 ==
| http://com-property.com/ malicious files in script
|
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]

|-
|style="background:red; color:white" |

== B2 Portfolio ==
|B2 portfolio 1.0 SQLi pulseextensions.com
|250111
|
|-
|style="background:#cef2e0; color:black" |

== allcinevid ==
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367
|220111
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]
|-
|style="background:red; color:white" |

== People Component ==
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli
|150111
|
|-
|style="background:#cef2e0; color:black" |

== J!Dump v1.1.2 ==
| LFI in J!Dump v1.1.2 and before
|060111
|The extension is fixed in
[http://joomlacode.org/gf/project/jdump/frs version 1.1.3] 070111
|-
|style="background:#cef2e0; color:black" |

== xmovie 1.0 ==
|xmovie 1.0 LFi
|010111
|[http://www.optikool.com/news/xmovie-news/45-xmovie-11-udpate v1.1 is a security release.]
|-
|style="background:#cef2e0; color:black" |

== Easy File Uploader ==
|LFI - http://extensions.joomla.org/extensions/core-enhancements/file-management/11909
|090111
| Fixed MIME type tamper vulnerability http://michaelgilkes.info/joomla-plugin-easy-file-uploader 2011-01-10
|-
|style="background:#cef2e0; color:black" |

== akeebabackup admin tools ==
|xss
|181210
|http://www.akeebabackup.com/home/item/929-security-release-admin-tools-1-1.html devs update statement
|-
|style="background:#cef2e0; color:black" |

== aicontactsafe ==
|XSS for versions 2.0.13 and below
|161210
|[http://www.algisinfo.com/joomla/aicontactsafe-change-log.html dev release 2.0.14]
|-
|style="background:#cef2e0; color:black" |

== JRadio ==
|JRadio LFI/SID
|161210
|http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56 developer fix statement
|-
|style="background:#cef2e0; color:black" |

== JE Auto ==
|JE Auto 1.0 SQL I
|091210
|[http://www.joomlaextensions.co.in/extensions/components/je-auto.html developers bug fix statement]
|-
|style="background:#cef2e0; color:black" |

== jxtended comments ==
|xss
|081210
|[http://jxtended.com/blog/releases/375-jxtended-comments-131-stable-released.html dev notice] update to 1.3.1
|-
|style="background:#cef2e0; color:black" |

== sh404SEF ==
|sqlI
|301110
|[http://dev.anything-digital.com/Blog/sh404SEF/Urgent-security-releases-now-available-for-all-version-of-sh404SEF.html dev post of resolution]
|-
|style="background:#cef2e0; color:black" |

== JE Ajax Event Calendar ==
|SQL I (relist)
|251110
|[http://joomlaextensions.co.in/extensions/components/je-ajax-event-calender.html Dev states resolved,]
|-
|style="background:red; color:white" |

== Jimtawl ==
|Jimtawl LFI
|251110
|
|-
|style="background:#cef2e0; color:black" |

== mosets tree ==
|mosets tree various
|181110
|dev release 2.1.8 http://forum.mosets.com/showthread.php?t=17064
|-
|style="background:red; color:white" |

== Maian Media SILVER ==
|Maian Media SQLi
|151110
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]
|-
|style="background:red; color:white" |

== alfurqan ==
|alfurqan 1.5 sqli
|151110
|
|-
|style="background:red; color:white" |

== ccboard ==
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]
|131110
|

|-
|style="background:red; color:white" |

== ProDesk v 1.5 ==
|LFI
|091110
|
|-
|style="background:#cef2e0; color:black" |

== JQuarks 4 survey 1.0.0 ==
|SQLi
|091110
| [http://www.iptechinside.com/labs/projects/list_files/jquarks-for-surveys developer statement updated to version 1.0.1] 101110
|-
|style="background:#cef2e0; color:black" |

== RSform! 1.0.5 ==
|Multiple vulnerabilities - LFI, SQLi
|061110
| [http://www.rsjoomla.com/customer-support/documentations/12-general-overview-of-the-component/46-rsform-changelog.html developer announcement of security release]to 1.0.6 091110
|-
|style="background:#cef2e0; color:black" |

== ccinvoices ==
|SQLi for [http://www.chillcreations.com/ ccinvoices]
|051110
|Developer Upgrade release to ccInvoices_110RC3 061110
|-
|style="background:red; color:white" |

== sponsorwall ==
|SQL injection pulseextensions.com
|011110
|
|-
|style="background:red; color:white" |

== Flip wall ==
|SQL injection pulseextensions.com
|011110
|
|-
|style="background:#cef2e0; color:black" |

== K2 joomlaworks ==
| http://getk2.org/ k2 xss
|
|[http://getk2.org/ version 2.4.1]
|-
|style="background:#cef2e0; color:black" |

== Mosets Tree 2.1.5 ==
|Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI
|
|[http://forum.mosets.com/forumdisplay.php?f=2 developer relase statement and change log]
|-
|style="background:red; color:white" |

== Freestyle FAQ 1.5.6 ==
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 ‎SQL Injection
|
|
|-
|style="background:#cef2e0; color:black"|

== JE FAQ Pro ==
|[http://www.jextn.com/ Je faq pro] various reports
|090910
|[http://www.jextn.com/joomla-faq-component-extensions-downloads Developer update notice]
|-
|style="background:red; color:white" |

== iJoomla Magazine 3.0.1 ==
|iJoomla Magazine 3.0.1 RFI
|090910
|
|-
|style="background:red; color:white" |

== Clantools ==
|
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli
|090910
|
|-
|style="background:red; color:white" |

== jphone ==
|jphone LFI
|090910
|
|-
|style="background:#cef2e0; color:black"|

== Gantry Framework ==
|SQli injection
|050910
|[http://www.gantry-framework.org/news Update to 3.0.11]
|-
|style="background:red; color:white" |

== PicSell ==
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]
|020910
|
|-
|style="background:#cef2e0; color:black"|

== JE FAQ Pro ==
|[http://www.jextn.com/joomla-faq-component-extensions-downloads/ SID]
|020910
|[http://www.jextn.com/joomla-faq-component-extensions-downloads Developer update notice]
|-
|style="background:red; color:white" |

== Zoom Portfolio ==
|SID
|020910
|
|-
|style="background:red; color:white" |

== zina ==
|[http://www.pancake.org/zina/ SQL Injection]
|020910
|
|-
|style="background:red; color:white" |

== Team's ==
|[http://www.joomlamo.com Teams extension] SQL Injection
|120810
|
|-
|style="background:red; color:white" |

== Amblog ==
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi
|120810
|
|-
|style="background:red; color:white" |

== ==
|
|
|
|-
|style="background:#cef2e0; color:black"|

== Graffiti Wall ==
|[http://extensions.joomla.org/extensions/extension-specific/jomsocial-extensions/13263 Graffiti Wall] for [http://www.joomplace.com/forum/jomsocial-plugins/jomsocial-plugins/graffiti-wall-permissions-777.html jomsocial silent 777]
|310710
|[http://extensions.joomla.org/extensions/extension-specific/jomsocial-extensions/13263 Dev statement 1.1 - is security release]. Folder permission was set by default as 777 that is unsecure.
|-
|style="background:#cef2e0; color:black"|

== Spielothek ==
|http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation
|290710
|Dev states version 1.7.1 resolves issues 020810
|-
|style="background:#cef2e0; color:black"|

== Aardvertiser ==
|http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777
|290710
|[http://sourceforge.net/projects/aardvertiser/forums/forum/989030/topic/3788365 dev announces silent 0777 fixed in Version 2.1 290710]
|-
|style="background:#cef2e0; color:black"|

== FW Real Estate Light ==
|http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777
|290710
|[http://www.fastw3b.net/fw-real-estate-light.html version 1.1 reported as fixed 777 issue]
|-
|

== ==
|
|
|
|-
|style="background:#cef2e0; color:black"|

== jDownloads ==
|http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting
|2807110
|1.7.4 RC3 Build 771 update on Jul 29 to remove 0777
|-
|style="background:#cef2e0; color:black"|

== TTVideo ==
|[http://www.toughtomato.com TTVideo 1.0 Joomla] SQL Injection Vulnerability
|270710
|[http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/ dev updated the component to prevent this]. 280710
Users are no longer able to download the previous version.
|-
|style="background:#cef2e0; color:black"|

== frei-chat2.0 ==
|http://code.google.com/p/frei-chat/downloads/list xss vulnerability
|230710
|[http://code.google.com/p/frei-chat/downloads/list Dev announcement to fix] 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710

|-
|style="background:#cef2e0; color:black"|

== QContacts ==
|http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 '''Version: 1.0.4 reported, current version 1.0.6'''
|220710
|Devleoper states [http://www.latenight-coding.com/news/joomla/supposed-vulnerability-qcontacts-104.html unproven report and no POC]
|-
|style="background:red; color:white" |

== Jomtube ==
|http://www.jomtube.com/ SID
|220710
|
|-
|style="background:#cef2e0; color:black"|

== mysms ==
|http://www.willcodejoomlaforfood.de/ Upload Vulnerability
|july 10,2010
|290710 [http://www.willcodejoomlaforfood.de/ released the version 1.5.12.]
|-
|style="background:red; color:white" |

== Rapid Recipe ==
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2
|july 10,2010
|
|-
|style="background:red; color:white" |

== Health & Fitness Stats ==
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010
|
|
|-
|style="background:red; color:white" |

== staticxt ==
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided
|
|
|-
|style="background:#cef2e0; color:black"|
== EasyBlog ==
|http://stackideas.com/products/easyblog.html xss (new report) july 10,2010
|
|[http://extensions.joomla.org/extensions/news-production/blog/12630 developer reported fix available on site ]
|-
|style="background:#cef2e0; color:black"|

== redshop light ==
|http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli
|110710
|[http://redcomponent.com/forum/72-redshop-light/11261-redshop-light-rc2-released-security-release Developer reported fix and upgrade to RC2]
|-
|style="background:red; color:white" |

== quickfaq ==
|http://www.schlu.net sqli
|090710
|
|-
|style="background:red; color:white" |

== Minify4Joomla ==
|http://waltercedric.com/ LFI and xss
|090710
|No longer available to download
|-
|style="background:red; color:white" |

== IXXO Cart ==
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== Music Manager ==
|LFI [http://danieljamesscott.org/software/4-joomla-extensions/4-music-manager.html music manager]
|090710
|[http://danieljamesscott.org/software/4-joomla-extensions/4-music-manager.html Version 0.13 released]
|-
|style="background:red; color:white" |

== PaymentsPlus ==
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability
|090710
|current version 2.20, 2.1.5 not listed on dev site
|-
|style="background:red; color:white" |

== ArtForms ==
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities
|090710
| Old beta extension
|-
|style="background:#cef2e0; color:black"|

== NeoRecruit ==
|neojoomla.com SQL Injection
| neorecruit vers 1.4 060710
|[http://www.neojoomla.com/index.php?lang=en dev statement of fix in 1.4.1 and safe 2.0.5]
|-
|style="background:red; color:white" |

== autartimonial ==
|autartica.be Sqli Vulnerability
|060710
|
|-
|style="background:#cef2e0; color:black"|

== Jobs Pro ==
|instantphp.com/ Sqli
|060710
|[http://www.instantphp.com/news/40-new-releases/153-jobs-133-is-published.html devs] announcement of fix 130710
|-
|

== JPodium ==
|http://www.jpodium.de/ SQL Injection
|060710
|[http://www.jpodium.de/index.php?option=com_content&view=article&id=135:jpodium-not-vulnerable-to-sql-injection&catid=2:newsrotator Devs statement as to not proven]
|-
|style="background:#cef2e0; color:black"|

== Front-End Article Manager System ==
|http://b-elektro.no/ Upload Vulnerability
|040710
|[http://b-elektro.no/index.php dev states resolved]
|-
|style="background:#cef2e0; color:black"|

== addressbook ==
|http://b-elektro.no/ Upload Vulnerability
|040710
|[http://b-elektro.no/index.php dev states resolved]
|-
|

== NijnaMonials ==
|http://ninjaforge.com/ Sqli Vulnerability
|040710
|070410 Discovered to be malicious/false report see [http://nekkidninjas.com/index.php/2010/07/05/there-is-no-sql-injection-vulnerability- devs notice]
|-
|style="background:#cef2e0; color:black"|

== Phoca Gallery ==
|SQL I (wrong download location in report)
|040710
|style="background:#cef2e0; color:black"| deemed malicious report
|-
|style="background:#cef2e0; color:black"|

== socialads ==
|techjoomla.com/ Xss Vulnerability
|040710
|[http://techjoomla.com/joomla-extension-news/socialads-v101-security-update-to-fix-xss-vulnerability-out.html Developers resolved statement]
|-
|style="background:red; color:white" |

== eventcal 1.6.4 ==
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode
|040710
|
|-
|style="background:#cef2e0; color:black"|

== myblog controller ==
|LFI
http://www.azrul.com/
|010710
|[http://www.azrul.com/ MyBlog 3.0.332]
|-
|style="background:#cef2e0; color:black"|

== joomanager ==
|SQli Vulnerability
http://www.joomanager.com
|010710
|[http://www.joomanager.com/component/content/article/3-newsflash/60-joomanager-v13-stable-and-sef-plugins-released.html developer release statement] 260311
|-
|style="background:#cef2e0; color:black"|

== gamesbox ==
|SQL Injection Vulnerability
http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox
|010710
|upgrade to 1.0.10
|-
|style="background:red; color:white" |

== wmtpic ==
|www.webmaster-tips.net various
|010710
|
|-
|style="background:red; color:white" |

== date converter ==
|http://sourceforge.net/projects/date-converter/ sqli
|010710
|
|-
|

== Remository ==
|http://remository.com/ LFI (proc)
|010710
|Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710
|-
|style="background:#cef2e0; color:black"|

== RokBridge 1.0rc12 ==
|http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI
|090810
|[http://www.rockettheme.com/extensions-updates/834-rokbridge-10rc13-released RokBridge has been updated to version 1.0rc13.] 120810
|-
|style="background:red; color:white" |

== real estate ==
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI
|210610
|
|-
|style="background:#cef2e0; color:black"|

== jomsocial ==
|Version: 1.6.288 Multiple XSS
|210610
|[http://www.jomsocial.com/blog/security-patch-for-jomsocial-16x.html 1.6.291 released] 220610

|-
|style="background:#cef2e0; color:black"|

== DOCman ==
|DOCman 1.5.7 DOCman 1.4.0 none specific exploit
|210610
|[http://blog.joomlatools.eu/2010/06/docman-security-announcement.html developer announcement]
|-
|style="background:#cef2e0; color:black"|

== eportfolio ==
|http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability
|200610
|Developer [http://www.joomplace.com/e-portfolio/e-portfolio-description.html announcement ] 270810

|-
|style="background:red; color:white" |

== cinema ==
|SQL injection
|190610
|
|-
|style="background:red; color:white" |

== Jreservation ==
|http://jforjoomla.com/ SQLi Vulnerability
|190610
|
|-
|style="background:#cef2e0; color:black"|

== Super Messenger ==
|axxis.gr xss
|190610
|[http://axxis.gr/forum/viewtopic.php?f=6&t=641 developer release statement 1.4.6]
|-
|style="background:red; color:white" |

== joomdocs ==
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability
|190610
|
|-
|style="background:#cef2e0; color:black"|

== RSComments 1.0.0 ==
|Persistent XSS NOTE: ONLY executes in backend!
|190610
|[http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html Developer update announcement] 210610
|-
|style="background:red; color:white" |

== Live Chat ==
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities
|190610
|
|-
|style="background:red; color:white" |

== Turtushout 0.11 ==
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)
|190610
|
|-
|style="background:red; color:white" |

== BF Survey Pro Free ==
|BF Survey Pro Free SQL Injection Exploit
|190610
|
|-
|style="background:red; color:white" |

== MisterEstate ==
|http://www.misterestate.com/ Blind SQL Injection Exploit
|190610
|
|-
|style="background:red; color:white" |

== RSMonials ==
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit
|190610
|Believed to be 1.5.1 version

|-
|style="background:#cef2e0; color:black"|

== RSComments 1.0.0 ==
|RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted)
|180610
|[http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html Developer update announcement] 210610
|-
|style="background:red; color:white" |

== Answers v2.3beta ==
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652
|180610
|
|-
|style="background:red; color:white" |

== Gallery XML 1.1 ==
|Multiple Vulnerabilities
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504
|180610
|
|-
|style="background:red; color:white" |

== JFaq 1.2 ==
|JFaq 1.2 Multiple Vulnerabilities
|180610
|
|-
|style="background:red; color:white" |

== Listbingo 1.3 ==
|Multiple Vulnerabilities
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062
|180610
|
|-
|style="background:#cef2e0; color:black"|

== PowerMail Pro ==
| PowerMail Pro Local File Inclusion Vulnerability
|
|[http://powermail4joomla.com/forum/showthread.php?tid=163 Dev upadte statement] 151010
|-
|style="background:red; color:white" |

== Alpha User Points ==
|www.alphaplug.com LFI
|180610
|
|-
|style="background:#cef2e0; color:black"|

== Magic Updater ==
|http://software.realtyna.com/ RFI
|170610
|[http://software.realtyna.com/component/content/article/64-security-patch-for-magic-updater-and-translator.html] developer update statement
|-
|style="background:red; color:white" |

== recruitmentmanager ==
|http://recruitment.focusdev.co.uk Upload Vulnerability
|130610
|
|-
|style="background:red; color:white" |

== Info Line (MT_ILine) ==
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file
|120610
|
|-
|style="background:#cef2e0; color:black"|

== Search Log ==
|http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi
|080610
|[http://www.kanich.net/radio/site/searchlog/searchlog-download Developer cited update to version 3.1.1 100710]

|-
|

== iJoobi ==
|jtickets, jsubscription SQL Injection Vulnerability,
jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection,
|090610
|developer states unproven

|-
|style="background:red; color:white" |

== Ads manager Annonce ==
|http://joomla.clubnautiquemarine.fr/
Upload Vulnerability
| 05/06/10
|
|-
|style="background:red; color:white" |

== lead article ==
|http://www.leadya.co.il/ SQLi
|050610
|
|-
|style="background:red; color:white" |

== djartgallery ==
|http://www.design-joomla.eu Multiple Vul
|05/06/10
|
|-
|style="background:red; color:white" |

== Gallery 2 Bridge ==
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability
|

|-
|style="background:red; color:white" |

== jsjobs ==
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability
|
|
|-
|

== ==
|
|
|
|-
|style="background:red; color:white" |

== JE Poll ==
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== MyCar ==
|http://www.unisoft.me/extensions/ sqli ID
|
|[http://www.unisoft.me/mycar/index.php?option=com_smallchat&Itemid=5 Dev announcement update to 1.1]
|-
|style="background:red; color:white" |

== MediQnA ==
|MediQnA LFI vulnerability version : v1.1
|
|
|-
|style="background:red; color:white" |

== JE Job ==
|http://joomlaextensions.co.in/ LFI SQLi
|
|
|-
|style="background:#cef2e0; color:black"|

== BF Quiz ==
|SQL Injection Exploit Version(s) = 1.3.0
|
|[http://www.tamlyncreative.com.au/software/forum/index.php?topic=729.0 Developer update to BF Quiz v1.3.1]
|-
|

== ==
|
|
|
|-
|style="background:#cef2e0; color:black"|

== Ozio Gallery 2 ==
|DT and open email relay
|280510
|[http://oziogallery.joomla.it/index.php?option=com_content&view=article&id=65:rilasciata-la-versione-ozio-gallery-25&catid=2:notizie&Itemid=13&lang=en Developer update and security release] 010610
|-
|style="background:red; color:white" |

== SectionEx ==
|Stack Ideas section Ex LFI
|
|
|-
|style="background:red; color:white" |

== ActiveHelper LiveHelp ==
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp]
|200510
|
|-
|style="background:#cef2e0; color:black"|
== RS Comments ==
|XSS Vulnerability
|
|[http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html - fix posted 210510]
|-
|

== BCA RSS Feed ==
|LFI and other vulnerabilities
|
|Upgrade to [http://ninjaforge.com/index.php?option=com_ninjacentral&page=show_package&id=74&Itemid=236 Ninja RSS Syndicator 1.0.9 or later]
|-
|

== SimpleDownload ==
|http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits
|160510
|updated version (version 0.9.6)
|-
|style="background:red; color:white" |
== JE Quotation Form ==
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI
|
|
|-
|style="background:red; color:white" |

== konsultasi ==
|SQL Injection Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== Aardvertiser ==
|Local File Inclusion Vulnerability
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454
|
|see [http://docs.joomla.org/Vulnerable_Extensions_List#Aardvertiser resolved notice 040810]
|-
|style="background:red; color:white" |

== Seber Cart ==
|Local File Disclosure Vulnerability
|
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]
|-
| style="background:#cef2e0; color:black"|

== FDione Form Wizard ==
|lfi vulnerability
|140510 200510
|[http://dionesoft.com Update to Dione Form Wizard (v. 1.0.4)].
|-
| style="background:#cef2e0; color:black"|

== Custom PHP Pages ==
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability
|
|[http://fijiwebdesign.com Developer declares not vulnerable 140510]
|-
|style="background:red; color:white" |

== Camp26 Visitor ==
|RFI www.camp26.biz
|
|
|-
|style="background:#cef2e0; color:black"|

== iJoomla News Portal ==
|RFI SID
|
|[http://www.ijoomla.com/forum/index.php/topic,4480.0.html Update to 1.5.10]
|-
|
== article Factory Manager ==
|RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html
|may 2010
|can not reproduce and unproven, http://www.thefactory.ro
|-
|style="background:#cef2e0; color:black"|

== Table JX Component ==
|http://www.toolsjx.com/ Table JX Component XSS
|060510 - update 130510
|Version: 1.5.5 considered unsafe, [http://www.toolsjx.com update to 1.5.7]
|-
|style="background:red; color:white" |

== JE Property ==
|JE Property Finder Upload Vulnerability
|
|
|-
|style="background:red; color:white" |

== Noticeboard ==
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability
|
|
|-
|style="background:red; color:white" |

==SmartSite ==
|SmartSite com_smartsite Local File Inclusion Vulnerability
|
|
|-
|style="background:#cef2e0; color:black" |

== ABC ==
|ABC SQL Injection Vulnerability
|
|reported as updated to JED 290410
|-
|style="background:red; color:white" |

== htmlcoderhelper graphics ==
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability
|
|
|-
|style="background:red; color:white" |

== Ultimate Portfolio ==
|Ultimate Portfolio Local File Inclusion Vulnerability
|
|
|-
|style="background:#cef2e0; color:black" |

== huruhelpdesk ==
|http://www.huruhelpdesk.net sqli injection
|
|[http://www.huruhelpdesk.net/forums/8-announcements/392--sql-injection-reveals-user-md5-password-hash Reported fix]
|-
|style="background:red; color:white" |

== Archery Scores ==
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]

|210410
|
|-
|style="background:red; color:white" |

== ZiMB Manager ==
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability
|210410
|
|-
|style="background:red; color:white" |

== Matamko ==
|Matamko Local File Inclusion Vulnerability
|210410
|
|-
|style="background:red; color:white" |

== Multiple Root ==
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/
|
|
|-
|style="background:red; color:white" |

== Multiple Map ==
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com
|
|
|-
|style="background:red; color:white" |

== Contact Us Draw Root Map ==
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com
|
|
|-
|style="background:red; color:white" |

== iF surfALERT ==
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability
|
|
|-
|style="background:red; color:white" |

== GBU FACEBOOK ==
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/
|
|
|-
|style="background:red; color:white" |

== jnewspaper ==
|jnewspaper (cid) SQL Injection Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== JTM Reseller ==
|TM Reseller SQL injection vulnerability
|
|[http://jtmreseller.com/ Developer Update]
|-
|style="background:#cef2e0; color:black" |

== media Mall Factory ==
|SQLi
|200410
| [http://www.thefactory.ro/contact-us/product-update-request.html Solution: update to 1.0.5]

|-
|style="background:#cef2e0; color:black"|

== Gadget Factory ==
|LFi
|200410
|[http://www.thefactory.ro/contact-us/product-update-request.html Solution: update to 1.5.1]
|-
|style="background:#cef2e0; color:black"|

== Deluxe Blog Factory ==
|SQLi
|200410
|[http://www.thefactory.ro/contact-us/product-update-request.html update to 1.1.2]
|-
|

== ==
|
|
|
|-
|style="background:red; color:white" |
== MT Fire Eagle ==

|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com
| 190410
| product considered retired and to be replaced by dev
|-
|
== com properties ==
| http://com-property.com/ SQL I
|
|[http://www.com-property.com/images/fbfiles/files/properties-20100413.txt developer announced fix]
|-
|style="background:red; color:white"|

== Sweetykeeper ==
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/
|120410
|
|-
|style="background:red; color:white"|

== jvehicles ==
|SQL Injection http://jvehicles.com
|120410
|
|-
|style="background:red; color:white"|

== worldrates ==
|http://dev.pucit.edu.pk/
|120410
|
|-
|style="background:red; color:white"|

== cvmaker ==
|http://dev.pucit.edu.pk/
|
|
|-
|style="background:red; color:white"|

== advertising ==
|http://dev.pucit.edu.pk/
|
|
|-
|style="background:red; color:white"|

== horoscope ==
|http://dev.pucit.edu.pk/
|120410
|
|-
|style="background:red; color:white"|

== webtv ==
|http://dev.pucit.edu.pk/
|120410
|
|-
|style="background:red; color:white"|

== diary ==
|http://dev.pucit.edu.pk/
|120410
|-
|style="background:#cef2e0; color:black"|

== Multi-Venue Restaurant Menu Manager (MVRMM) ==
|http://www.focusdev.co.uk/
|120410
||[http://extensions.joomla.org/extensions/vertical-markets/food-a-beverage/10015 Version 1.5.2 Stable Update 4]
|-
|style="background:red; color:white"|

== Memory Book ==
|http://dev.pucit.edu.pk/
|120410
|-
|style="background:#cef2e0; color:black"|

== TRAVELbook ==
| http://www.demo-page.de/
|120410
|[http://www.demo-page.de/de/erweiterungen-mehr-inhalte/travelbook/download.html developers resolution notice 1.0.2]
|-
|style="background:#cef2e0; color:black"|

== AlphaUserPoints ==
|
|[http://www.alphaplug.com/index.php/downloads.html?func=fileinfo&id=31 developer upgrade]

|-
|style="background:red; color:white"|

== JprojectMan ==
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676
|110410
|-
|style="background:#cef2e0; color:black"|

== CKForms ==
|1.3.4 release - Important LFI security fix [http://joomlacode.org/gf/project/ckforms/news/?action=NewsThreadView&id=2814 ]
|07-04-10
|[http://ckforms.cookex.eu/download/download.php upgrade]
|-
|style="background:red; color:white"|

== econtentsite ==
|LFI
|040410
|
|-
|style="background:red; color:white"|

== Jvehicles ==
|ID
|040410
|-
|

== ==
|
|
|-
|style="background:#cef2e0; color:black"|

== smestorage ==
|[http://www.smestorage.com SMEStorage] LFI

|Updated 29 March 10
|[http://gelembjuk.com/index.php?option=com_content&view=section&layout=blog&id=1&Itemid=55 developer fix] to 1.1
|-
|style="background:#cef2e0; color:black"|

== JE Tooltip ==
|[http://joomlaextensions.co.in/formcreator/ JE Tooltip] LFI
|Updated 23 March
|-
|style="background:#cef2e0; color:black"|

== Gift Exchange Beta ==
|[http://extensions.joomla.org/extensions/communities-a-groupware/membership/11680 Gift exchange] SQLi
|Updated 23 March
|[http://socialables.com/28-Jomsocial/Gift-Exchange/flypage.tpl.html upgrade beta 1.0.1]

|-
|style="background:#cef2e0; color:black"|

== RokDownloads ==
|[[http://extensions.joomla.org/extensions/directory-a-documentation/downloads/7967 LFI]]
|15 march 2010
||upgrade to [http://www.rockettheme.com/extensions-updates/638-rokdownloads-10-released version 1.0]
|-
|style="background:red; color:white"|

== gigcalender ==

|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]
|13 march 2010
|
|-
|style="background:red; color:white"|

== heza content ==
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]
|13 march 2010
|
|-
|style="background:#cef2e0; color:black" |

== juliaportfolio ==
|LFI [http://extensions.joomla.org/extensions/directory-&-documentation/portfolio/8519/details juliaportfolio]
|13 march 2010
|[http://www.treidorinte.ro/joomla-extensions/19-joomla-components/467-juliaportfolio-security-upgrade-required withdrawal and update notice]
|-

|style="background:#cef2e0; color:black" |

== Flash Magazine Deluxe ==
|SQL Injection Vulnerability.
|Feb 25
|'''[http://www.joomplace.com/flash-magazine-deluxe/flash-magazine-deluxe-description.html Developer Update Version 2.0.11 09/03/10]'''
|-
|style="background:red; color:white" |

== SqlReport ==
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.
|Feb 20
|'''Not Known'''
|-
|style="background:#cef2e0; color:black" |

== Scriptegrator ==
|Core Design [http://www.greatjoomla.com/extensions/plugins/core-design-scriptegrator-plugin.html Scriptegrator] RFI exploit
|Feb 20
|[http://www.greatjoomla.com/extensions/plugins/core-design-scriptegrator-plugin.html Dev Upgrade announcement]
|-
|style="background:#cef2e0; color:black" |

== AllVideos 3.1 ==
|
A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]|
|17 Feb
| [http://joomlaworks.googlecode.com/files/plg_jw_allvideos-v3.3_j1.5.zip Version 3.3 release 18th]
|-
|style="background:#cef2e0; color:black" |

== RW Cards ==
| [http://extensions.joomla.org/extensions/3430/details RW Card] LFI and ID exploit [http://www.weberr.de/ Dev Site]
|180210
|style="background:#cef2e0; color:black" |''' [http://www.weberr.de/index.php/forum.html?func=view&catid=5&id=1939&limit=6 developer update]'''
|-
|style="background:red; color:white" |

== Yelp ==
| SQLi - Unable to locate developer. Possibly a custom extension.
|Feb 01
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |

== '''Autartitarot''' ==
|Directory Traversal. Back end access required
| Feb 05
|style="background:#cef2e0; color:black" | ''' Please upgrade to [http://www.autartica.be/en/autartitarot version 1.0.4]'''
|-
|style="background:#cef2e0; color:black" |

== communitypolls ==
|LFI - [http://www.corejoomla.com/ community polls]
|Feb 17
||upgrade to [http://www.corejoomla.com/ version 1.5.3]
|-
|

== ==
|
|
|
|}
<endFeed />

''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance]
''

== Codes used ==
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]

LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]

RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]

DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia]

ID = Information Disclosure: account information or sensitive information publicly viewable

== Future Actions & WIP ==

[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed

to feed VEL direct to twitter

== Notes ==
The RSS feed is currently fed by item entry order and not by date fixed.
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]

----
[[Category:Security]]
[[Category:Security_FAQ]]
[[Category:Component Management]]
----

Vulnerable Extensions List/Archive/2009-10

2011-07-15T12:32:52Z

CirTap: moved Vulnerable Extensions List/Archive/2009-10 to Archived vel over redirect

#REDIRECT [[Archived vel]]

Archived vel

2011-07-15T12:32:52Z

CirTap: moved Vulnerable Extensions List/Archive/2009-10 to Archived vel over redirect

Vulnerable Extensions List/Archive/2010-11

2011-07-15T12:31:26Z

CirTap: moved Vulnerable Extensions List/Archive/2010-11 to Vulnerable Extensions List (Archived) over redirect

#REDIRECT [[Vulnerable Extensions List (Archived)]]

Vulnerable Extensions List (Archived)

2011-07-15T12:31:26Z

CirTap: moved Vulnerable Extensions List/Archive/2010-11 to Vulnerable Extensions List (Archived) over redirect

{{underconstruction}}
For a more recent list please see [[Vulnerable_Extensions_List_oct]]

<table border="1" cellpadding="3" cellspacing="3">
<tr style="background-color: #ff9900" valign="bottom">
<th align="left" width="25%">Name</th>
<th align="left">Versions</th>
<th align="left">Solution</th>
<th align="left">References</th>
<th>Updated</th>
</tr>
<tr>

<td>

A6MamboCredits

com_a6mambocredits
</td>

<td>All </td>
<td>Abandoned. Remove completely or use at your own risk.</td>
<td>[http://secunia.com/advisories/21540/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,86978.0.html Forum Topic]</td>
<td> 2006</td>

</tr>
<tr>
<td>

A6MamboHelpDesk


com_a6mambohelpdesk


</td>
<td> All </td>
<td> Abandoned. Remove completely or use at your own risk.
</td>
<td>
[http://forum.joomla.org/index.php/topic,80890.0.html Forum Topic] 
[http://secunia.com/advisories/21540/ Secunia Advisory] 

[http://secunia.com/advisories/21227/ Secunia Advisory]
</td>
<td> 2006</td>
</tr>
<tr>
<td>


Advanced Poll


com_advancedpoll (?)

</td>
<td> <= 2.2.0</td>
<td>
Abandoned. Remove completely or use at your own risk.
</td>

<td> [http://forum.joomla.org/index.php/topic,76621.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>Adobe Acrobat Reader 
(Not a Joomla! extension, but worth noting.)</td>

<td> <= 7.0.8</td>
<td>Upgrade to latest stable version.
</td>
<td>[http://www.adobe.com/support/security/advisories/apsa07-01.html Adobe Advisory]
</td>
<td>2006</td>
</tr>

<tr>
<td> Akocomment</td>
<td> All</td>
<td>SQL Injection with PHP magic_quotes OFF. No upgrade path yet. 
Fix: Turn PHP magic_quotes ON 
</td>

<td>[http://forum.joomla.org/index.php?topic=185805.msg882326#msg882326 Forum Topic] 
</td>
<td>June 30, 2006 
</td>
</tr>
<tr>
<td>Article</td>

<td> <= 1.1 
</td>
<td> Upgrade to latest stable version.</td>
<td> [http://www.milw0rm.com/exploits/3736 milwOrm Advisory] 
[http://www.frsirt.com/english/adisories/2007/1394 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,160876.msg775119.html#msg775119 Forum Topic]</td>
<td> 26 June 2007 
</td>
</tr>
<tr>
<td>

ArtLinks




com_artlinks

</td>
<td> All
</td>
<td> Abandoned. Remove completely or use at your own risk.
</td>

<td>[http://forum.joomla.org/index.php/topic,76328.0.html Forum Topic]
</td>
<td>2006</td>
</tr>
<tr>
<td> AutoStand </td>

<td> <= 1.1 
</td>
<td> No further information at this time. 
</td>
<td>
[http://www.milw0rm.com/exploits/3734 milwOrm Advisory] 
[http://www.frsirt.com/english/advisories/2007/1392 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,160876.msg775119.html#msg775119 Forum Topic]


 

</td>
<td> 26 June 2007 

</td>
</tr>
<tr>
<td>

Bayesian Naive Filter



com_bayesiannaivefilter

</td>
<td> <= 1.1
</td>
<td> No Fix Available. Disable or remove until a fix is available.
</td>
<td>[http://forum.joomla.org/index.php/topic,81594.0.html Forum Topic]

</td>
<td> 2006</td>
</tr>
<tr>
<td>

Bible Study



com_biblestudy

</td>
<td> <= 6.0.7b and below
</td>
<td> Fix Available. SQL Insertion attack
</td>
<td>http://joomlacode.org/gf/project/biblestudy/

</td>
<td> 2008</td>
</tr>
<tr>
<td>

BigApe Backup



com_babackup

</td>
<td> All </td>
<td> A patch is available from the developer. [http://forum.joomla.org/index.php/topic,87736.msg465256.html#msg465256 See this post.] </td>

<td> [http://secunia.com/advisories/21574/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,87736.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>


BSQ Site Stats


com_bsqsitestats

</td>
<td> <= 2.2.1</td>

<td>Upgrade to latest stable version. 
</td>
<td>[http://forum.joomla.org/index.php/topic,77899.0.html Forum Topic] 
[http://secunia.com/advisories/22142/ Secunia Advisory] </td>
<td> 2006</td>
</tr>

<tr>
<td>Car Manager 
</td>
<td> <= 1.1 
</td>
<td> No further information at this time.</td>

<td>[http://forum.joomla.org/index.php/topic,154777.msg748946.html#msg748946 Forum Topic] </td>
<td> 26 June 2007 
</td>
</tr>
<tr>
<td>


Classifieds



com_classifieds

</td>
<td> <= 1.3</td>
<td>Upgrade to latest stable version.</td>

<td>[http://forum.joomla.org/index.php/topic,82457.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Colophon




com_colophon

</td>
<td> <= 1.2</td>
<td>Upgrade to latest stable version.</td>
<td>[http://secunia.com/advisories/21288/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,81587.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Community Builder



com_profiler

</td>
<td> <= 1.0.0</td>
<td>


Upgrade to latest stable version. 


[http://forum.joomla.org/index.php/topic,86525.msg441456.html#msg441456 See here for a fix for register_globals = off]

</td>
<td>[http://www.joomlapolis.com/content/view/1538/37/ Jomopolis Topic] 

[http://forum.joomla.org/index.php/topic,84436.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,86525.msg441456.html#msg441456 Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

DS-Syndicate



com_ds-syndicate

</td>
<td>All versions?</td>
<td>
SQL injection vulnerability. 
Remove completely or use at your own risk. Component has been removed from JED. Abandoned?


</td>
<td>
[http://www.frsirt.com/english/advisories/2008/2859 http://www.frsirt.com/english/advisories/2008/2859]
<td>Nov. 27, 2008</td>
</tr>
<tr>
<td>


Events



com_events

</td>
<td> <= 1.3 Beta</td>
<td>Upgrade to latest stable version.</td>

<td>[http://forum.joomla.org/index.php/topic,80411.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>Expose Flash Gallery</td>
<td> RC4</td>

<td>[http://joomlacode.org/gf/project/expose/frs/?action=FrsReleaseView&release_id=5053 Download patch] 
</td>
<td>[http://forum.joomla.org/index.php/topic,192172.0.html Forum Topic]</td>
<td>20 July 2007 
</td>
</tr>
<tr>

<td>

ExtCalendar



com_extcalendar

</td>
<td> <= 0.9.1</td>

<td> Upgrade to version 0.9.2. See[http://forum.joomla.org/index.php/topic,75390.msg402249.html#msg402249 this post] for details. Also check the new forked project, JCal. </td>
<td> [http://secunia.com/advisories/19321/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,75390.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,79050.0.html Forum Topic] 

[http://forum.joomla.org/index.php/topic,78268.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Facile Forms



com_facileforms

</td>
<td> <= 1.4.6</td>
<td>Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,98973.0.html Forum Topic]</td>

<td> 2006</td>
</tr>
<tr>
<td>

Galleria




com_galleria

</td>
<td> All </td>
<td> Abandoned. Remove completely or use at your own risk.</td>
<td>[http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3396 NVD Advisory] 

[http://forum.joomla.org/index.php/topic,77706.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Gmaps




com_gmaps

</td>
<td><=1.01 </td>
<td>Upgrade to the latest version, which can be downloaded [http://firestorm-technologies.com/component/option,com_docman/Itemid,27/task,doc_download/gid,22/ here] 
</td>

<td>[http://www.securityfocus.com/bid/25146 Security Focus Advisory] 
</td>
<td> 6 August 2007</td>
</tr>
<tr>
<td>


Hash Cash


com_hashcash

</td>
<td> All </td>
<td> Abandoned. Remove completely or use at your own risk.</td>

<td>[http://secunia.com/product/11046/ Secunia Advisory] 
</td>
<td> 2006</td>
</tr>
<tr>
<td>


Hot Property


com_hotproperties (?)

</td>
<td> <= 0.97</td>
<td>Upgrade to [http://www.mosets.com/download/ latest stable version].</td>

<td> No references available at this time.</td>
<td> 2006</td>
</tr>
<tr>
<td>

JCE




com_jce

</td>
<td> <= 1.0.4</td>
<td> Apply patch, download it [http://www.cellardoor.za.net/index.php?option=com_docman&task=cat_view&gid=1&Itemid=6 here], or use latest stable version.</td>

<td>

[http://secunia.com/advisories/23160/ Secunia Advisory] 
[http://www.cellardoor.za.net/ Cellardoor] 
[http://secunia.com/advisories/23160/ Secunia Advisory]

</td>
<td> 2006</td>

</tr>
<tr>
<td>

JoomlaPack


com_jpack


</td>
<td> 1.0.4a2 RE</td>
<td>Upgrade to latest stable version.
</td>
<td>

[http://www.milw0rm.com/exploits/3753 MilwOrm Advisory] 
[http://www.frsirt.com/english/advisories/2007/1429 FrSIRT Advisory]


</td>
<td> 2006</td>
</tr>
<tr>
<td>

JoomlaBoard



com_joomlaboard

</td>
<td> <= 1.1.1
</td>
<td>


Upgrade to latest stable version.


[http://forum.joomla.org/index.php/topic,86525.msg441456.html#msg441456 RG_EMULATION Fix]

</td>
<td> [http://secunia.com/advisories/21059/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,76852.0.html Forum Topic] 

[http://forum.joomla.org/index.php/topic,86525.msg441513.html#msg441513 Forum Topic] 
</td>
<td>2006</td>
</tr>
<tr>
<td>

JoomlaLib




com_joomlalib

</td>
<td> <= 1.2.1</td>
<td>Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,77899.0.html Forum Topic]</td>

<td> 2006</td>
</tr>
<tr>
<td>

JD-WordPress



com_jd-wp

</td>
<td> <= 2.0-1.0 RC2</td>
<td> Patch Available. 
See [http://forum.joomla.org/index.php/topic,81064.msg418374.html#msg418374 this post]. </td>

<td>[http://forum.joomla.org/index.php/topic,81064.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>



JD-Wiki


com_jd-wiki

</td>
<td>All 
</td>

<td>

Abandoned project. 
Upgrade to [http://joomlacode.org/gf/project/nuwiki/ nuWiki]

</td>
<td>


[http://forum.joomla.org/index.php/topic,80188.msg427986.html#msg427986 Forum Topic]


[http://forum.joomla.org/index.php?topic=177926.0 Forum Topic]

</td>
<td>6 July 2007</td>

</tr>
<tr>
<td>


JIM 1.0.1. (PMS)



com_jim

</td>
<td> 1.0.1 
</td>
<td>Upgrade to latest stable version. The developer fixed security issues but didn't create a higher version number.</td>
<td>[http://secunia.com/advisories/21545/ Secunia Advisory] </td>

<td> 2006</td>
</tr>
<tr>
<td>joomSEF (ARTIO)
</td>
<td> <=2.2.1</td>

<td> Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,226147.0.html Forum Topic]</td>
<td>27 Oct 2007 
</td>
</tr>
<tr>

<td>

jPack


com_jpack

</td>
<td>< 1.0.4-b1</td>

<td> Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,163589.msg847010.html#msg847010 Forum Topic]</td>
<td> 26 June 2007 
</td>
</tr>
<tr>

<td>

Link Directory


com_linkdirectory

</td>
<td> All 

</td>
<td> Remove. Abandoned project. 
</td>
<td> No references.
</td>
<td> 2006</td>
</tr>

<tr>
<td>

Letterman



mod_letterman

</td>

<td> <= 1.2.4</td>
<td>Upgrade to latest stable version. [http://www.thejfactory.com] </td>
<td>[http://forum.joomla.org/index.php?topic=180367 Forum Topic]
</td>
<td> May 2007</td>

</tr>
<tr>
<td>

LMO


com_lmo


</td>
<td> <= 1.0b2</td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/frs/do/viewRelease/projects.lmo/frs.com_lmo.com_lmo_1_0_b3 ] </td>
<td> [http://www.frsirt.com/english/advisories/2006/3063 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,81590.0.html Forum Topic] </td>

<td> 2006</td>
</tr>
<tr>
<td>

LoudMouth



com_loudmouth

</td>
<td> <= 4.0j</td>
<td> Upgrade to version 4.1 then apply Security Patch 1. [http://mamboxchange.com/frs/?group_id=39&release_id=5995 Download here].</td>
<td> [http://forum.joomla.org/index.php/topic,76337.0.html Forum Topic] 

[http://mamboxchange.com/forum/forum.php?forum_id=7638 MamboExchange Advisory]</td>
<td> 2006</td>
</tr>
<tr>
<td>


MamCom (?)


com_trade

</td>
<td> All 
</td>

<td> Abandoned. Remove completely or use at your own risk. 
</td>
<td> *Unconfirmed*</td>
<td> 2006</td>
</tr>
<tr>

<td>

MambelFish 1.x


com_mambelfish

</td>
<td> <= 1.x</td>

<td> Upgrade to 1.5 (or to Joom!Fish) [http://mamboxchange.com/frs/download.php/4518/MambelFish_1.5.zip Download Mambelfish ] [http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,460/Itemid,35/ Download Joom!Fish] </td>
<td> [http://secunia.com/advisories/21544/ Secunia Advisory] </td>
<td> 2006</td>
</tr>

<tr>
<td>


Mambo Gallery Manager





com_mgm


</td>
<td> All</td>
<td> Abandoned. Remove completely or use at your own risk.</td>
<td> [http://forum.joomla.org/index.php/topic,81616.0.html Forum Topic] 

[http://www.frsirt.com/english/advisories/2006/3054 FrSIRT Advisory] </td>
<td> 2006</td>
</tr>
<tr>
<td>

MiniBB



com_minibb

</td>
<td> <= 1.5a</td>
<td> Abandoned. Remove completely or use at your own risk.</td>

<td>

[http://securityreason.com/exploitalert/846 Security Reason Advisory] [http://forum.joomla.org/index.php/topic,76898.0.html Forum Topic] 
[http://securityreason.com/exploitalert/846 Security Reason]

</td>

<td> 2006</td>
</tr>
<tr>
<td>

Mos Tree



com_mtree

</td>
<td> <= 1.5.8</td>
<td>Upgrade to latest stable version. [http://www.mosets.com/download/] </td>
<td> [http://forum.joomla.org/index.php/topic,78298.0.html Forum Topic] </td>

<td> 2006</td>
</tr>
<tr>
<td>

MosMedia



com_mosmedia

</td>
<td> <= 1.0.8</td>
<td> Temporary Fix Available. See [http://forum.joomla.org/index.php/topic,78533.0.html this thread] for details.</td>

<td> [http://forum.joomla.org/index.php/topic,78533.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>

MoSpray



com_mospray

</td>
<td> <= 1.8 RC1</td>
<td> Abandoned. Remove completely or use at your own risk.</td>

<td> [http://forum.joomla.org/index.php/topic,76331.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>

Multibanners



com_multibanners


* Note: Not the same as the Multibanners Module.

</td>
<td> All 

</td>
<td> Abandoned. Remove completely or use at your own risk.</td>
<td> [http://secunia.com/advisories/21168/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,77977.0.html Forum Topic] 
</td>
<td> 2006</td>

</tr>
<tr>
<td>

OpenSEF


com_sef


</td>
<td> <= 2.0.0 RC5 Unpatched</td>
<td> [http://projects.j-prosolution.com/project-news/opensef-news/security-patch-for-opensef.html Download patch] </td>
<td valign="top"> [http://forum.joomla.org/index.php/topic,77301.0.html Forum Topic] </td>
<td> 2006</td>
</tr>

<tr>
<td>

PC Cook Book


com_pccookbook

</td>

<td> <= 1.3.1</td>
<td> No Fix Available. Disable or remove.</td>
<td> [http://www.frsirt.com/english/advisories/2006/2739 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,76009.0.html Forum Topic] 
</td>

<td> 2006</td>
</tr>
<tr>
<td>

Per Forms



com_performs

</td>
<td><= v1_beta </td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/frs/do/viewRelease/projects.performs/frs.com_performs.com_performs_v2_beta ] </td>
<td> [http://secunia.com/advisories/21044/ Secunia Advisory] [http://forum.joomla.org/index.php/topic,76654.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,76862.0.html Forum Topic] 
</td>
<td> 2006</td>
</tr>
<tr>
<td> Phil-A-Form</td>

<td> < 1.2 
</td>
<td> Upgrade to latest version. 
</td>
<td> [http://forum.joomla.org/index.php?topic=174770.new#new Forum Topic]

 
 
</td>
<td> May 2007</td>
</tr>
<tr>
<td>


People Book


com_peoplebook

</td>
<td> <= 1.1.5</td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/frs/do/viewRelease/projects.peoplebook/frs.component.component_1_1_6_0] </td>

<td>[http://forge.joomla.org/sf/go/artf5410?nav=1 Joomla Forge] </td>
<td> 2006</td>
</tr>
<tr>
<td>


Prince Clan Chess


com_pcchess

</td>
<td> <= 0.8</td>
<td> Author suggest manually patching. [http://www.princeclan.org/] </td>

<td> See [http://www.princeclan.org/ this site]. </td>
<td> 2006</td>
</tr>
<tr>
<td>


PollXT


com_pollxt

</td>
<td> <= 1.22.07</td>
<td>Upgrade to latest stable version. [http://www.joomlaxt.com/index.php?option=com_remository&Itemid=77&func=fileinfo&id=9] </td>

<td> [http://secunia.com/advisories/21068/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,77975.0.html Forum Topic] 
[http://secunia.com/advisories/21068/ Secunia Advisory]
</td>
<td>2006</td>
</tr>
<tr>

<td>

 RS Gallery2


com_rsgallery2

</td>

<td> <= 1.11.3</td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/go/projects.rsgallery2/frs.rsg2_alpha_builds.rsg2_1_11_4]</td>
<td> [http://forum.joomla.org/index.php/topic,73453.0.html Forum Topic]
</td>
<td> 06</td>

</tr>
<tr>
<td>RWCards</td>
<td> < 2.4.4 
</td>
<td> Upgrade to latest stable version.</td>

<td> [http://forum.joomla.org/index.php/topic,154792.msg749006.html#msg749006 Forum Topic] </td>
<td> 26 June 2007 
</td>
</tr>
<tr>
<td> Security Images 

com_securityimages 
</td>
<td> <= 3.0.5</td>
<td>Upgrade to latest stable version.</td>
<td> [http://secunia.com/advisories/21260/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,81589.0.html Forum Topic] 

</td>
<td> June 2007</td>
</tr>
<tr>
<td> SEF404x 
com_sef 

</td>
<td> All</td>
<td> No Fix Available. Remove completely or use at your own risk.</td>
<td> No references. 
</td>
<td>2006</td>

</tr>
<tr>
<td>sh404SEF</td>
<td>1.2.4 t, u, or w </td>
<td>Patch or update. 
</td>
<td> [http://forum.joomla.org/index.php/topic,226147.0.html Forum Topic] 

</td>
<td>23 Oct, 2007 
</td>
</tr>
<tr>
<td>

Site Map



com_sitemap

 
</td>
<td> All 
</td>

<td> Abandoned. Remove completely or use at your own risk. 
[http://www.simplemachines.org/community/index.php?topic=97649.0] </td>
<td>
[http://secunia.com/advisories/21055/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,76326.0.html Forum Topic] 
[http://secunia.com/advisories/21055/ Secunia Advisory] 
</td>

<td> 2006</td>
</tr>
<tr>
<td>

SimpleBoard



com_simpleboard

</td>
<td> All</td>
<td>Upgrade to latest JoomlaBoard. JoomlaBoard is compatible with SimpleBoard. [http://developer.joomla.org/sf/frs/do/viewRelease/projects.simpleboard/frs.joomlaboard_1_1.joomlaboard_1_1_2 Download here].</td>
<td>

[http://secunia.com/advisories/20981/ Secunia Advisory] 
[http://secunia.com/advisories/20409/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,75668.0.html Forum Topic] 
[http://secunia.com/advisories/20981/ Secunia Advisory] 
</td>
<td> 2006</td>

</tr>
<tr>
<td>

SMF Bridge


com_smf


</td>
<td> <= 1.1.4</td>
<td>

Versions other than 1.1RC2. Fix Available. [http://www.simplemachines.org/community/index.php?topic=100140.0 See this thread].



 


Version 1.1RC2 only. Upgrade available. 
[http://www.simplemachines.org/community/index.php?topic=97649.0 See this thread.]

</td>

<td> [http://secunia.com/advisories/21079/ Secunia Advisory] 
[http://www.simplemachines.org/community/index.php?topic=100140.0 Simple Machines Advisory] 
[http://forum.joomla.org/index.php/topic,78313.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,77716.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,78359.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,76609.0.html Forum Topic] 

[http://secunia.com/advisories/21079/ Secunia Advisory] 
</td>
<td> 2006</td>
</tr>
<tr>
<td>


TaskHopper


com_thopper

</td>
<td> <= 1.1 
</td>

<td> Upgrade to latest version. 
</td>
<td> 

[http://forum.joomla.org/index.php/topic,159111.0.html Forum Topic]

</td>

<td> 2006</td>
</tr>
<tr>
<td>

User Home Pages 1 and 2



com_uhp and com_uhp2

</td>
<td> <= 1.1.1 (?)</td>
<td>Upgrade to latest stable version. [http://www.ravenswoodit.co.uk/index.php?option=com_docman&task=cat_view&gid=78&Itemid=13] </td>
<td> [http://forum.joomla.org/index.php/topic,81308.msg416865.html#msg416865 Forum Topic] 
[http://secunia.com/advisories/21305/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,81308.msg416865.html#msg416865 Forum Topic] 
</td>
<td> June 2007</td>
</tr>
<tr>
<td>VirtueMart</td>

<td> <= 1.0.13a</td>
<td>Upgrade to version >= 1.0.14. Available [http://virtuemart.net/index.php?option=com_content&task=view&id=54&Itemid=147 here]. </td>
<td> [http://virtuemart.net/index.php?option=com_content&task=view&id=275&Itemid=127 Security Bulletin] </td>
<td>January 2008</td>
</tr>
<tr>

<td>WordPress 
(Not a Joomla! extension, but worth noting.) </td>
<td> 2.1.1</td>
<td> Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,146478.msg737784.html#msg737784 Forum Topic]</td>

<td> 26 June 2007 
</td>
</tr>
<tr>
<td> zOOm Media Gallery</td>
<td><= 2.5.1 RC4</td>

<td> [http://www.zoomfactory.org/index.php?option=com_remository&Itemid=61&func=select&id=1 Upgrade to latest stable version].</td>
<td> [http://www.frsirt.com/english/advisories/2007/1353 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,160119.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td> BF Survey Pro BF Survey Basic BF Quiz</td>
<td><=1.2.5 <=1.0 <=1.1.1</td>
<td>[http://www.tamlyncreative.com.au/software/index.php/downloads.html Upgrade to latest versions]</td>
<td>[http://forum.joomla.org/viewtopic.php?f=431&t=336055&start=0 Forum Post] [http://www.tamlyncreative.com.au/software/forum/index.php?topic=357.0 Developer's Forum Post]</td>
<td>September, 2009</td>
</tr>
<tr>
<td> Photoblog (com_photoblog)</td>
<td>Unknown</td>
<td>Unknown</td>
<td>[http://www.securityfocus.com/bid/36809/info Security Focus Advisory]</td>
<td>October 26, 2009</td>
</tr>

</table>

[[Category:Security]]
[[Category:Security_FAQ]]

Vulnerable Extensions List (Archived)

2011-07-15T12:25:34Z

CirTap: Reverted edits by CirTap (talk) to last revision by Chris Davenport

Folderlist form field type

2011-07-15T12:05:37Z

CirTap: fixed marker box using "notice"

[[Image:Params.folderlist.jpg|right]]

{{notice|In Joomla! 1.5, [[Form field|form fields]] were [[Parameter|parameters]]. For that version, you may want to use the corresponding [[Folderlist parameter type]].}}

The '''folderlist''' form field type provides a drop down list of folders from a specfied directory. If the field has a saved value this is selected when the page is first loaded. If not, the default value (if any) is selected.

By default, the first item on the list is '- Do not use -' (which is translatable) and is given the value '-1' and this is followed by '- Use default -' (also translatable) given the value '0'.

* '''type''' (mandatory) must be '''folderlist'''.
* '''name''' (mandatory) is the unique name of the field.
* '''label''' (mandatory) (translatable) is the descriptive title of the field.
* '''directory''' (mandatory) is the filesystem path to the directory containing the folders to be listed.
* '''default''' (optional) is the default folder name.
* '''description''' (optional) (translatable) is text that will be shown as a tooltip when the user moves the mouse over the drop-down box.
* '''filter''' (optional) is a regular expression string which is used to filter the list of folders selected for inclusion in the drop-down list. If omitted, all folders in the directory are included. The filter argument expression is applied before the exclude argument expression. For information on constructing regular expressions see [[Regular expressions in parameter arguments]].
* '''exclude''' (optional) is a regular expression string which is used to exclude folders from the list. The exclude argument expression is applied after the filter argument expression. For information on constructing regular expressions see [[Regular expressions in parameter arguments]].
* '''hide_none''' (optional) is a Boolean argument. If true, the '- Do not use -' item is omitted from the drop-down list.
* '''hide_default''' (optional) is a Boolean argument. If true, the '- Use default -' item is omitted from the drop-down list.

Example XML field definition:
<source lang="xml"><field name="myfolder" type="folderlist" default="" label="Select a folder" directory="administrator" filter="" exclude="" stripext="" /></source>
<noinclude>

=== See also ===
* [[Filelist form field type]]
* [[Imagelist form field type]]
* [[Standard form field types|List of standard form field types]]
[[Category:Standard form field types]]</noinclude>

Vulnerable Extensions List (Archived)

2011-07-15T11:35:48Z

CirTap:

For a more recent list please see [[Vulnerable Extensions List]]

<table border="1" cellpadding="3" cellspacing="3">
<tr style="background-color: #ff9900" valign="bottom">
<th align="left" width="25%">Name</th>
<th align="left">Versions</th>
<th align="left">Solution</th>
<th align="left">References</th>
<th>Updated</th>
</tr>
<tr>

<td>

A6MamboCredits

com_a6mambocredits
</td>

<td>All </td>
<td>Abandoned. Remove completely or use at your own risk.</td>
<td>[http://secunia.com/advisories/21540/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,86978.0.html Forum Topic]</td>
<td> 2006</td>

</tr>
<tr>
<td>

A6MamboHelpDesk


com_a6mambohelpdesk


</td>
<td> All </td>
<td> Abandoned. Remove completely or use at your own risk.
</td>
<td>
[http://forum.joomla.org/index.php/topic,80890.0.html Forum Topic] 
[http://secunia.com/advisories/21540/ Secunia Advisory] 

[http://secunia.com/advisories/21227/ Secunia Advisory]
</td>
<td> 2006</td>
</tr>
<tr>
<td>


Advanced Poll


com_advancedpoll (?)

</td>
<td> <= 2.2.0</td>
<td>
Abandoned. Remove completely or use at your own risk.
</td>

<td> [http://forum.joomla.org/index.php/topic,76621.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>Adobe Acrobat Reader 
(Not a Joomla! extension, but worth noting.)</td>

<td> <= 7.0.8</td>
<td>Upgrade to latest stable version.
</td>
<td>[http://www.adobe.com/support/security/advisories/apsa07-01.html Adobe Advisory]
</td>
<td>2006</td>
</tr>

<tr>
<td> Akocomment</td>
<td> All</td>
<td>SQL Injection with PHP magic_quotes OFF. No upgrade path yet. 
Fix: Turn PHP magic_quotes ON 
</td>

<td>[http://forum.joomla.org/index.php?topic=185805.msg882326#msg882326 Forum Topic] 
</td>
<td>June 30, 2006 
</td>
</tr>
<tr>
<td>Article</td>

<td> <= 1.1 
</td>
<td> Upgrade to latest stable version.</td>
<td> [http://www.milw0rm.com/exploits/3736 milwOrm Advisory] 
[http://www.frsirt.com/english/adisories/2007/1394 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,160876.msg775119.html#msg775119 Forum Topic]</td>
<td> 26 June 2007 
</td>
</tr>
<tr>
<td>

ArtLinks




com_artlinks

</td>
<td> All
</td>
<td> Abandoned. Remove completely or use at your own risk.
</td>

<td>[http://forum.joomla.org/index.php/topic,76328.0.html Forum Topic]
</td>
<td>2006</td>
</tr>
<tr>
<td> AutoStand </td>

<td> <= 1.1 
</td>
<td> No further information at this time. 
</td>
<td>
[http://www.milw0rm.com/exploits/3734 milwOrm Advisory] 
[http://www.frsirt.com/english/advisories/2007/1392 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,160876.msg775119.html#msg775119 Forum Topic]


 

</td>
<td> 26 June 2007 

</td>
</tr>
<tr>
<td>

Bayesian Naive Filter



com_bayesiannaivefilter

</td>
<td> <= 1.1
</td>
<td> No Fix Available. Disable or remove until a fix is available.
</td>
<td>[http://forum.joomla.org/index.php/topic,81594.0.html Forum Topic]

</td>
<td> 2006</td>
</tr>
<tr>
<td>

Bible Study



com_biblestudy

</td>
<td> <= 6.0.7b and below
</td>
<td> Fix Available. SQL Insertion attack
</td>
<td>http://joomlacode.org/gf/project/biblestudy/

</td>
<td> 2008</td>
</tr>
<tr>
<td>

BigApe Backup



com_babackup

</td>
<td> All </td>
<td> A patch is available from the developer. [http://forum.joomla.org/index.php/topic,87736.msg465256.html#msg465256 See this post.] </td>

<td> [http://secunia.com/advisories/21574/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,87736.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>


BSQ Site Stats


com_bsqsitestats

</td>
<td> <= 2.2.1</td>

<td>Upgrade to latest stable version. 
</td>
<td>[http://forum.joomla.org/index.php/topic,77899.0.html Forum Topic] 
[http://secunia.com/advisories/22142/ Secunia Advisory] </td>
<td> 2006</td>
</tr>

<tr>
<td>Car Manager 
</td>
<td> <= 1.1 
</td>
<td> No further information at this time.</td>

<td>[http://forum.joomla.org/index.php/topic,154777.msg748946.html#msg748946 Forum Topic] </td>
<td> 26 June 2007 
</td>
</tr>
<tr>
<td>


Classifieds



com_classifieds

</td>
<td> <= 1.3</td>
<td>Upgrade to latest stable version.</td>

<td>[http://forum.joomla.org/index.php/topic,82457.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Colophon




com_colophon

</td>
<td> <= 1.2</td>
<td>Upgrade to latest stable version.</td>
<td>[http://secunia.com/advisories/21288/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,81587.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Community Builder



com_profiler

</td>
<td> <= 1.0.0</td>
<td>


Upgrade to latest stable version. 


[http://forum.joomla.org/index.php/topic,86525.msg441456.html#msg441456 See here for a fix for register_globals = off]

</td>
<td>[http://www.joomlapolis.com/content/view/1538/37/ Jomopolis Topic] 

[http://forum.joomla.org/index.php/topic,84436.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,86525.msg441456.html#msg441456 Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

DS-Syndicate



com_ds-syndicate

</td>
<td>All versions?</td>
<td>
SQL injection vulnerability. 
Remove completely or use at your own risk. Component has been removed from JED. Abandoned?


</td>
<td>
[http://www.frsirt.com/english/advisories/2008/2859 http://www.frsirt.com/english/advisories/2008/2859]
<td>Nov. 27, 2008</td>
</tr>
<tr>
<td>


Events



com_events

</td>
<td> <= 1.3 Beta</td>
<td>Upgrade to latest stable version.</td>

<td>[http://forum.joomla.org/index.php/topic,80411.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>Expose Flash Gallery</td>
<td> RC4</td>

<td>[http://joomlacode.org/gf/project/expose/frs/?action=FrsReleaseView&release_id=5053 Download patch] 
</td>
<td>[http://forum.joomla.org/index.php/topic,192172.0.html Forum Topic]</td>
<td>20 July 2007 
</td>
</tr>
<tr>

<td>

ExtCalendar



com_extcalendar

</td>
<td> <= 0.9.1</td>

<td> Upgrade to version 0.9.2. See[http://forum.joomla.org/index.php/topic,75390.msg402249.html#msg402249 this post] for details. Also check the new forked project, JCal. </td>
<td> [http://secunia.com/advisories/19321/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,75390.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,79050.0.html Forum Topic] 

[http://forum.joomla.org/index.php/topic,78268.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Facile Forms



com_facileforms

</td>
<td> <= 1.4.6</td>
<td>Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,98973.0.html Forum Topic]</td>

<td> 2006</td>
</tr>
<tr>
<td>

Galleria




com_galleria

</td>
<td> All </td>
<td> Abandoned. Remove completely or use at your own risk.</td>
<td>[http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3396 NVD Advisory] 

[http://forum.joomla.org/index.php/topic,77706.0.html Forum Topic]</td>
<td> 2006</td>
</tr>
<tr>
<td>

Gmaps




com_gmaps

</td>
<td><=1.01 </td>
<td>Upgrade to the latest version, which can be downloaded [http://firestorm-technologies.com/component/option,com_docman/Itemid,27/task,doc_download/gid,22/ here] 
</td>

<td>[http://www.securityfocus.com/bid/25146 Security Focus Advisory] 
</td>
<td> 6 August 2007</td>
</tr>
<tr>
<td>


Hash Cash


com_hashcash

</td>
<td> All </td>
<td> Abandoned. Remove completely or use at your own risk.</td>

<td>[http://secunia.com/product/11046/ Secunia Advisory] 
</td>
<td> 2006</td>
</tr>
<tr>
<td>


Hot Property


com_hotproperties (?)

</td>
<td> <= 0.97</td>
<td>Upgrade to [http://www.mosets.com/download/ latest stable version].</td>

<td> No references available at this time.</td>
<td> 2006</td>
</tr>
<tr>
<td>

JCE




com_jce

</td>
<td> <= 1.0.4</td>
<td> Apply patch, download it [http://www.cellardoor.za.net/index.php?option=com_docman&task=cat_view&gid=1&Itemid=6 here], or use latest stable version.</td>

<td>

[http://secunia.com/advisories/23160/ Secunia Advisory] 
[http://www.cellardoor.za.net/ Cellardoor] 
[http://secunia.com/advisories/23160/ Secunia Advisory]

</td>
<td> 2006</td>

</tr>
<tr>
<td>

JoomlaPack


com_jpack


</td>
<td> 1.0.4a2 RE</td>
<td>Upgrade to latest stable version.
</td>
<td>

[http://www.milw0rm.com/exploits/3753 MilwOrm Advisory] 
[http://www.frsirt.com/english/advisories/2007/1429 FrSIRT Advisory]


</td>
<td> 2006</td>
</tr>
<tr>
<td>

JoomlaBoard



com_joomlaboard

</td>
<td> <= 1.1.1
</td>
<td>


Upgrade to latest stable version.


[http://forum.joomla.org/index.php/topic,86525.msg441456.html#msg441456 RG_EMULATION Fix]

</td>
<td> [http://secunia.com/advisories/21059/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,76852.0.html Forum Topic] 

[http://forum.joomla.org/index.php/topic,86525.msg441513.html#msg441513 Forum Topic] 
</td>
<td>2006</td>
</tr>
<tr>
<td>

JoomlaLib




com_joomlalib

</td>
<td> <= 1.2.1</td>
<td>Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,77899.0.html Forum Topic]</td>

<td> 2006</td>
</tr>
<tr>
<td>

JD-WordPress



com_jd-wp

</td>
<td> <= 2.0-1.0 RC2</td>
<td> Patch Available. 
See [http://forum.joomla.org/index.php/topic,81064.msg418374.html#msg418374 this post]. </td>

<td>[http://forum.joomla.org/index.php/topic,81064.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>



JD-Wiki


com_jd-wiki

</td>
<td>All 
</td>

<td>

Abandoned project. 
Upgrade to [http://joomlacode.org/gf/project/nuwiki/ nuWiki]

</td>
<td>


[http://forum.joomla.org/index.php/topic,80188.msg427986.html#msg427986 Forum Topic]


[http://forum.joomla.org/index.php?topic=177926.0 Forum Topic]

</td>
<td>6 July 2007</td>

</tr>
<tr>
<td>


JIM 1.0.1. (PMS)



com_jim

</td>
<td> 1.0.1 
</td>
<td>Upgrade to latest stable version. The developer fixed security issues but didn't create a higher version number.</td>
<td>[http://secunia.com/advisories/21545/ Secunia Advisory] </td>

<td> 2006</td>
</tr>
<tr>
<td>joomSEF (ARTIO)
</td>
<td> <=2.2.1</td>

<td> Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,226147.0.html Forum Topic]</td>
<td>27 Oct 2007 
</td>
</tr>
<tr>

<td>

jPack


com_jpack

</td>
<td>< 1.0.4-b1</td>

<td> Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,163589.msg847010.html#msg847010 Forum Topic]</td>
<td> 26 June 2007 
</td>
</tr>
<tr>

<td>

Link Directory


com_linkdirectory

</td>
<td> All 

</td>
<td> Remove. Abandoned project. 
</td>
<td> No references.
</td>
<td> 2006</td>
</tr>

<tr>
<td>

Letterman



mod_letterman

</td>

<td> <= 1.2.4</td>
<td>Upgrade to latest stable version. [http://www.thejfactory.com] </td>
<td>[http://forum.joomla.org/index.php?topic=180367 Forum Topic]
</td>
<td> May 2007</td>

</tr>
<tr>
<td>

LMO


com_lmo


</td>
<td> <= 1.0b2</td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/frs/do/viewRelease/projects.lmo/frs.com_lmo.com_lmo_1_0_b3 ] </td>
<td> [http://www.frsirt.com/english/advisories/2006/3063 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,81590.0.html Forum Topic] </td>

<td> 2006</td>
</tr>
<tr>
<td>

LoudMouth



com_loudmouth

</td>
<td> <= 4.0j</td>
<td> Upgrade to version 4.1 then apply Security Patch 1. [http://mamboxchange.com/frs/?group_id=39&release_id=5995 Download here].</td>
<td> [http://forum.joomla.org/index.php/topic,76337.0.html Forum Topic] 

[http://mamboxchange.com/forum/forum.php?forum_id=7638 MamboExchange Advisory]</td>
<td> 2006</td>
</tr>
<tr>
<td>


MamCom (?)


com_trade

</td>
<td> All 
</td>

<td> Abandoned. Remove completely or use at your own risk. 
</td>
<td> *Unconfirmed*</td>
<td> 2006</td>
</tr>
<tr>

<td>

MambelFish 1.x


com_mambelfish

</td>
<td> <= 1.x</td>

<td> Upgrade to 1.5 (or to Joom!Fish) [http://mamboxchange.com/frs/download.php/4518/MambelFish_1.5.zip Download Mambelfish ] [http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,460/Itemid,35/ Download Joom!Fish] </td>
<td> [http://secunia.com/advisories/21544/ Secunia Advisory] </td>
<td> 2006</td>
</tr>

<tr>
<td>


Mambo Gallery Manager





com_mgm


</td>
<td> All</td>
<td> Abandoned. Remove completely or use at your own risk.</td>
<td> [http://forum.joomla.org/index.php/topic,81616.0.html Forum Topic] 

[http://www.frsirt.com/english/advisories/2006/3054 FrSIRT Advisory] </td>
<td> 2006</td>
</tr>
<tr>
<td>

MiniBB



com_minibb

</td>
<td> <= 1.5a</td>
<td> Abandoned. Remove completely or use at your own risk.</td>

<td>

[http://securityreason.com/exploitalert/846 Security Reason Advisory] [http://forum.joomla.org/index.php/topic,76898.0.html Forum Topic] 
[http://securityreason.com/exploitalert/846 Security Reason]

</td>

<td> 2006</td>
</tr>
<tr>
<td>

Mos Tree



com_mtree

</td>
<td> <= 1.5.8</td>
<td>Upgrade to latest stable version. [http://www.mosets.com/download/] </td>
<td> [http://forum.joomla.org/index.php/topic,78298.0.html Forum Topic] </td>

<td> 2006</td>
</tr>
<tr>
<td>

MosMedia



com_mosmedia

</td>
<td> <= 1.0.8</td>
<td> Temporary Fix Available. See [http://forum.joomla.org/index.php/topic,78533.0.html this thread] for details.</td>

<td> [http://forum.joomla.org/index.php/topic,78533.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>

MoSpray



com_mospray

</td>
<td> <= 1.8 RC1</td>
<td> Abandoned. Remove completely or use at your own risk.</td>

<td> [http://forum.joomla.org/index.php/topic,76331.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td>

Multibanners



com_multibanners


* Note: Not the same as the Multibanners Module.

</td>
<td> All 

</td>
<td> Abandoned. Remove completely or use at your own risk.</td>
<td> [http://secunia.com/advisories/21168/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,77977.0.html Forum Topic] 
</td>
<td> 2006</td>

</tr>
<tr>
<td>

OpenSEF


com_sef


</td>
<td> <= 2.0.0 RC5 Unpatched</td>
<td> [http://projects.j-prosolution.com/project-news/opensef-news/security-patch-for-opensef.html Download patch] </td>
<td valign="top"> [http://forum.joomla.org/index.php/topic,77301.0.html Forum Topic] </td>
<td> 2006</td>
</tr>

<tr>
<td>

PC Cook Book


com_pccookbook

</td>

<td> <= 1.3.1</td>
<td> No Fix Available. Disable or remove.</td>
<td> [http://www.frsirt.com/english/advisories/2006/2739 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,76009.0.html Forum Topic] 
</td>

<td> 2006</td>
</tr>
<tr>
<td>

Per Forms



com_performs

</td>
<td><= v1_beta </td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/frs/do/viewRelease/projects.performs/frs.com_performs.com_performs_v2_beta ] </td>
<td> [http://secunia.com/advisories/21044/ Secunia Advisory] [http://forum.joomla.org/index.php/topic,76654.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,76862.0.html Forum Topic] 
</td>
<td> 2006</td>
</tr>
<tr>
<td> Phil-A-Form</td>

<td> < 1.2 
</td>
<td> Upgrade to latest version. 
</td>
<td> [http://forum.joomla.org/index.php?topic=174770.new#new Forum Topic]

 
 
</td>
<td> May 2007</td>
</tr>
<tr>
<td>


People Book


com_peoplebook

</td>
<td> <= 1.1.5</td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/frs/do/viewRelease/projects.peoplebook/frs.component.component_1_1_6_0] </td>

<td>[http://forge.joomla.org/sf/go/artf5410?nav=1 Joomla Forge] </td>
<td> 2006</td>
</tr>
<tr>
<td>


Prince Clan Chess


com_pcchess

</td>
<td> <= 0.8</td>
<td> Author suggest manually patching. [http://www.princeclan.org/] </td>

<td> See [http://www.princeclan.org/ this site]. </td>
<td> 2006</td>
</tr>
<tr>
<td>


PollXT


com_pollxt

</td>
<td> <= 1.22.07</td>
<td>Upgrade to latest stable version. [http://www.joomlaxt.com/index.php?option=com_remository&Itemid=77&func=fileinfo&id=9] </td>

<td> [http://secunia.com/advisories/21068/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,77975.0.html Forum Topic] 
[http://secunia.com/advisories/21068/ Secunia Advisory]
</td>
<td>2006</td>
</tr>
<tr>

<td>

 RS Gallery2


com_rsgallery2

</td>

<td> <= 1.11.3</td>
<td>Upgrade to latest stable version. [http://forge.joomla.org/sf/go/projects.rsgallery2/frs.rsg2_alpha_builds.rsg2_1_11_4]</td>
<td> [http://forum.joomla.org/index.php/topic,73453.0.html Forum Topic]
</td>
<td> 06</td>

</tr>
<tr>
<td>RWCards</td>
<td> < 2.4.4 
</td>
<td> Upgrade to latest stable version.</td>

<td> [http://forum.joomla.org/index.php/topic,154792.msg749006.html#msg749006 Forum Topic] </td>
<td> 26 June 2007 
</td>
</tr>
<tr>
<td> Security Images 

com_securityimages 
</td>
<td> <= 3.0.5</td>
<td>Upgrade to latest stable version.</td>
<td> [http://secunia.com/advisories/21260/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,81589.0.html Forum Topic] 

</td>
<td> June 2007</td>
</tr>
<tr>
<td> SEF404x 
com_sef 

</td>
<td> All</td>
<td> No Fix Available. Remove completely or use at your own risk.</td>
<td> No references. 
</td>
<td>2006</td>

</tr>
<tr>
<td>sh404SEF</td>
<td>1.2.4 t, u, or w </td>
<td>Patch or update. 
</td>
<td> [http://forum.joomla.org/index.php/topic,226147.0.html Forum Topic] 

</td>
<td>23 Oct, 2007 
</td>
</tr>
<tr>
<td>

Site Map



com_sitemap

 
</td>
<td> All 
</td>

<td> Abandoned. Remove completely or use at your own risk. 
[http://www.simplemachines.org/community/index.php?topic=97649.0] </td>
<td>
[http://secunia.com/advisories/21055/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,76326.0.html Forum Topic] 
[http://secunia.com/advisories/21055/ Secunia Advisory] 
</td>

<td> 2006</td>
</tr>
<tr>
<td>

SimpleBoard



com_simpleboard

</td>
<td> All</td>
<td>Upgrade to latest JoomlaBoard. JoomlaBoard is compatible with SimpleBoard. [http://developer.joomla.org/sf/frs/do/viewRelease/projects.simpleboard/frs.joomlaboard_1_1.joomlaboard_1_1_2 Download here].</td>
<td>

[http://secunia.com/advisories/20981/ Secunia Advisory] 
[http://secunia.com/advisories/20409/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,75668.0.html Forum Topic] 
[http://secunia.com/advisories/20981/ Secunia Advisory] 
</td>
<td> 2006</td>

</tr>
<tr>
<td>

SMF Bridge


com_smf


</td>
<td> <= 1.1.4</td>
<td>

Versions other than 1.1RC2. Fix Available. [http://www.simplemachines.org/community/index.php?topic=100140.0 See this thread].



 


Version 1.1RC2 only. Upgrade available. 
[http://www.simplemachines.org/community/index.php?topic=97649.0 See this thread.]

</td>

<td> [http://secunia.com/advisories/21079/ Secunia Advisory] 
[http://www.simplemachines.org/community/index.php?topic=100140.0 Simple Machines Advisory] 
[http://forum.joomla.org/index.php/topic,78313.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,77716.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,78359.0.html Forum Topic] 
[http://forum.joomla.org/index.php/topic,76609.0.html Forum Topic] 

[http://secunia.com/advisories/21079/ Secunia Advisory] 
</td>
<td> 2006</td>
</tr>
<tr>
<td>


TaskHopper


com_thopper

</td>
<td> <= 1.1 
</td>

<td> Upgrade to latest version. 
</td>
<td> 

[http://forum.joomla.org/index.php/topic,159111.0.html Forum Topic]

</td>

<td> 2006</td>
</tr>
<tr>
<td>

User Home Pages 1 and 2



com_uhp and com_uhp2

</td>
<td> <= 1.1.1 (?)</td>
<td>Upgrade to latest stable version. [http://www.ravenswoodit.co.uk/index.php?option=com_docman&task=cat_view&gid=78&Itemid=13] </td>
<td> [http://forum.joomla.org/index.php/topic,81308.msg416865.html#msg416865 Forum Topic] 
[http://secunia.com/advisories/21305/ Secunia Advisory] 
[http://forum.joomla.org/index.php/topic,81308.msg416865.html#msg416865 Forum Topic] 
</td>
<td> June 2007</td>
</tr>
<tr>
<td>VirtueMart</td>

<td> <= 1.0.13a</td>
<td>Upgrade to version >= 1.0.14. Available [http://virtuemart.net/index.php?option=com_content&task=view&id=54&Itemid=147 here]. </td>
<td> [http://virtuemart.net/index.php?option=com_content&task=view&id=275&Itemid=127 Security Bulletin] </td>
<td>January 2008</td>
</tr>
<tr>

<td>WordPress 
(Not a Joomla! extension, but worth noting.) </td>
<td> 2.1.1</td>
<td> Upgrade to latest stable version.</td>
<td>[http://forum.joomla.org/index.php/topic,146478.msg737784.html#msg737784 Forum Topic]</td>

<td> 26 June 2007 
</td>
</tr>
<tr>
<td> zOOm Media Gallery</td>
<td><= 2.5.1 RC4</td>

<td> [http://www.zoomfactory.org/index.php?option=com_remository&Itemid=61&func=select&id=1 Upgrade to latest stable version].</td>
<td> [http://www.frsirt.com/english/advisories/2007/1353 FrSIRT Advisory] 
[http://forum.joomla.org/index.php/topic,160119.0.html Forum Topic] </td>
<td> 2006</td>
</tr>
<tr>
<td> BF Survey Pro BF Survey Basic BF Quiz</td>
<td><=1.2.5 <=1.0 <=1.1.1</td>
<td>[http://www.tamlyncreative.com.au/software/index.php/downloads.html Upgrade to latest versions]</td>
<td>[http://forum.joomla.org/viewtopic.php?f=431&t=336055&start=0 Forum Post] [http://www.tamlyncreative.com.au/software/forum/index.php?topic=357.0 Developer's Forum Post]</td>
<td>September, 2009</td>
</tr>
<tr>
<td> Photoblog (com_photoblog)</td>
<td>Unknown</td>
<td>Unknown</td>
<td>[http://www.securityfocus.com/bid/36809/info Security Focus Advisory]</td>
<td>October 26, 2009</td>
</tr>

</table>

[[Category:Security]]

Vulnerable Extensions List/Archive

2011-07-15T11:27:51Z

CirTap: Changed protection level for "Vulnerable Extensions List/Archive" ([edit=sysop] (indefinite) [move=sysop] (indefinite))

Former Lists of vulnerable extensions.
<splist/>
[[Category:Security]]
[[Category:Security_FAQ]]

Vulnerable Extensions List (Archived)

2011-07-15T11:27:39Z

CirTap: Protected "Vulnerable Extensions List/Archive/2010-11" ([edit=sysop] (indefinite) [move=sysop] (indefinite))

Archived vel

2011-07-15T11:27:22Z

CirTap: Protected "Vulnerable Extensions List/Archive/2009-10" ([edit=sysop] (indefinite) [move=sysop] (indefinite))

Vulnerable Extensions List/Archive

2011-07-15T11:19:25Z

CirTap: Changed protection level for "Vulnerable Extensions List/Archive" ([edit=sysop] (indefinite) [move=sysop] (indefinite)) [cascading]

Former Lists of vulnerable extensions.
<splist/>
[[Category:Security]]
[[Category:Security_FAQ]]

Vulnerable Extensions List/Archive

2011-07-15T09:22:02Z

CirTap: Protected "Vulnerable Extensions List/Archive" ([edit=sysop] (indefinite) [move=sysop] (indefinite))

Former Lists of vulnerable extensions.
<splist/>
[[Category:Security]]
[[Category:Security_FAQ]]

Talk:Vulnerable Extensions List

2011-07-15T09:20:42Z

CirTap: moved Talk:Vulnerable Extensions List/Archive/2010-11 to Talk:Vulnerable Extensions List: back to where it belongs

'''ToDo'''
# Some links left to cleanup.
# Should this format be converted to a wiki template for easier editing?
# Should each item be it's own file?
# Links to old forum topics are broken. Is there a pattern we can use to map these to the new forum path/topics?

== Are Vulnerabilities confirmed? ==

I ask because, I cannot find any confirmation that a couple of these vulnerabilities are valid.

Obviously, many of theses are correct, but it seems like some of this is just parroting, without installing the extension, and running a test.

Should the unconfirmed vulnerabilities be flagged as such?

Vulnerable Extensions List

2011-07-15T09:10:48Z

CirTap: Archive subpages

{{RightTOC}}
'''Please check here also:'''
<splist/>
Please also check the [[Investigation of exploits|Extension Investigation List]].

== Check and Report. ==
'''Please check with the extension publisher in case of any questions over the security of their product.'''
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond.
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] are the main editors
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly

== How to use this list ==
'''Items will be removed after a suitable period and not on resolution'''
All known vulnerable extensions are the listed in the first column. Any in a red box are where we have not been given a fix for. Alert Advisory details in the centre column .
Finally a link to the notice about any update with link or '''Not Known''' where none is known.

'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]
* We do not list BETA products, or extensions for J1.0.x

== Developers - How to get yourself removed from the VEL ==

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

* '''If JED listed'''

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page

6- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website

VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here]

* '''If not JED listed.'''
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.

== February 2010 and onwards Reported Vulnerable Extensions ==
<startFeed />

'''Please check with the extension publisher in case of any questions over the security of their product.'''
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List_0210#Codes_used codes]
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly

{| class="wikitable sortable" border="1"
|-
! '''Extension'''
! class="unsortable"| '''Details'''
! '''Date Added'''
! class="unsortable" |'''Extension Update Link & Date'''
|-
|style="background:red; color:white" |

== Sobi ==
|SQLI -
|130711
|[http://www.sigsiu.net/changelog developer fix and update statement]
|-
|style="background:#cef2e0; color:black" |

== fabrik ==
|sqli
|120711
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]
|-
|

== xmap ==
|sqli 1.2.11
|120711
|upgrade to 1.2.12
|-
|style="background:red; color:white" |

== Atomic Gallery ==
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery]
|110711
|
|-
|

== myApi ==
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.]
|020711
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]
|-
|style="background:red; color:white" |

== mdigg ==
|SQL I (not listed in JED)
|020711
|
|-
|style="background:#cef2e0; color:black" |

== Calc Builder ==
|sqli + ID
|180611
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]
|-
|style="background:red; color:white" |

== Cool Debate ==
|Cool Debate 1.03 LFI
|
|
|-
|style="background:red; color:white" |

== ==
|
|
|
|-
|style="background:#cef2e0; color:black" |

== Scriptegrator Plugin 1.5.5==
|LFI
|140611
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6
|-
|style="background:#cef2e0; color:black" |

== Joomnik Gallery ==
|SQLi
|
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]
|-
|style="background:#cef2e0; color:black" |

== JMS fileseller ==
|LFI
|0611
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]
|-
|style="background:#cef2e0; color:black" |

== sh404SEF ==
|low-level XSS security issue
|300511
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]
|-
|style="background:#cef2e0; color:black" |

== JE Story submit ==
|LFI/RFI
|
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]
|-
|style="background:red; color:white" |

== FCKeditor ==
|File Upload Vulnerability
|230511
|
|-
|style="background:red; color:white" |

== KeyCaptcha ==
|Private report under investigation
|190511
|
|-
|style="background:red; color:white" |

== Ask A Question AddOn v1.1 ==
|SQLi
|160511
|
|-
|style="background:#cef2e0; color:black" |

== Global Flash Gallery ==
|flash-gallery.com xss
|130511
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]
|-
|style="background:#cef2e0; color:black" |

== com_google ==
|LFI [http://freejoomlacomponent.appspot.com/ com_google]
|080511
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]
|-
|style="background:#cef2e0; color:black" |

== docman ==
|com-docman Input Validation Error
|160511
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]
|-
|style="background:#cef2e0; color:black" |

== Newsletter Subscriber ==
|XSS
|120511
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]
|-
|style="background:#cef2e0; color:black" |

== Akeeba ==
|akkeba backup and joomlapack
|170411
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]
|-
|style="background:#cef2e0; color:black" |

== Facebook Graph Connect ==
|SID. call home device with user credentials
|120411
|[http://www.sikkimonline.info/security-notice dev update notice]
|-
|style="background:#cef2e0; color:black" |

== booklibrary ==
|SQLi ordasoft booklibrary
|180311
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]
|-
|style="background:red; color:white" |

== semantic ==
|com semantic http://www.scms.es/joomla creates hidden admin users
|150311
|
|-
|

== JOMSOCIAL 2.0.x 2.1.x ==
|SID, open folders
|120311
|
|-
|style="background:#cef2e0; color:black" |

== flexicontent ==
|forced 777, malicious files
|250311
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]
|-
|style="background:red; color:white" |

== jLabs Google Analytics Counter ==
|jLabs Google Analytics Counter SID
|
|
|-
|
== xcloner ==
|Unspecified
|260211
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]
|-
|style="background:#cef2e0; color:black" |

== smartformer ==
|RFI
|230211 (repeat of 041110)
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]
|-
|style="background:#cef2e0; color:black" |

== xmap 1.2.10 ==
|Malicious payload in zip
|230211
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode]
|-
|style="background:#cef2e0; color:black" |

== Frontend-User-Access 3.4.1 ==
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI
|030211
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]
|-
|style="background:#cef2e0; color:black" |

== com properties 7134 ==
| http://com-property.com/ malicious files in script
|
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]

|-
|style="background:red; color:white" |

== B2 Portfolio ==
|B2 portfolio 1.0 SQLi pulseextensions.com
|250111
|
|-
|style="background:#cef2e0; color:black" |

== allcinevid ==
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367
|220111
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]
|-
|style="background:red; color:white" |

== People Component ==
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli
|150111
|
|-
|style="background:#cef2e0; color:black" |

== J!Dump v1.1.2 ==
| LFI in J!Dump v1.1.2 and before
|060111
|The extension is fixed in
[http://joomlacode.org/gf/project/jdump/frs version 1.1.3] 070111
|-
|style="background:#cef2e0; color:black" |

== xmovie 1.0 ==
|xmovie 1.0 LFi
|010111
|[http://www.optikool.com/news/xmovie-news/45-xmovie-11-udpate v1.1 is a security release.]
|-
|style="background:#cef2e0; color:black" |

== Easy File Uploader ==
|LFI - http://extensions.joomla.org/extensions/core-enhancements/file-management/11909
|090111
| Fixed MIME type tamper vulnerability http://michaelgilkes.info/joomla-plugin-easy-file-uploader 2011-01-10
|-
|style="background:#cef2e0; color:black" |

== akeebabackup admin tools ==
|xss
|181210
|http://www.akeebabackup.com/home/item/929-security-release-admin-tools-1-1.html devs update statement
|-
|style="background:#cef2e0; color:black" |

== aicontactsafe ==
|XSS for versions 2.0.13 and below
|161210
|[http://www.algisinfo.com/joomla/aicontactsafe-change-log.html dev release 2.0.14]
|-
|style="background:#cef2e0; color:black" |

== JRadio ==
|JRadio LFI/SID
|161210
|http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56 developer fix statement
|-
|style="background:#cef2e0; color:black" |

== JE Auto ==
|JE Auto 1.0 SQL I
|091210
|[http://www.joomlaextensions.co.in/extensions/components/je-auto.html developers bug fix statement]
|-
|style="background:#cef2e0; color:black" |

== jxtended comments ==
|xss
|081210
|[http://jxtended.com/blog/releases/375-jxtended-comments-131-stable-released.html dev notice] update to 1.3.1
|-
|style="background:#cef2e0; color:black" |

== sh404SEF ==
|sqlI
|301110
|[http://dev.anything-digital.com/Blog/sh404SEF/Urgent-security-releases-now-available-for-all-version-of-sh404SEF.html dev post of resolution]
|-
|style="background:#cef2e0; color:black" |

== JE Ajax Event Calendar ==
|SQL I (relist)
|251110
|[http://joomlaextensions.co.in/extensions/components/je-ajax-event-calender.html Dev states resolved,]
|-
|style="background:red; color:white" |

== Jimtawl ==
|Jimtawl LFI
|251110
|
|-
|style="background:#cef2e0; color:black" |

== mosets tree ==
|mosets tree various
|181110
|dev release 2.1.8 http://forum.mosets.com/showthread.php?t=17064
|-
|style="background:red; color:white" |

== Maian Media SILVER ==
|Maian Media SQLi
|151110
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]
|-
|style="background:red; color:white" |

== alfurqan ==
|alfurqan 1.5 sqli
|151110
|
|-
|style="background:red; color:white" |

== ccboard ==
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]
|131110
|

|-
|style="background:red; color:white" |

== ProDesk v 1.5 ==
|LFI
|091110
|
|-
|style="background:#cef2e0; color:black" |

== JQuarks 4 survey 1.0.0 ==
|SQLi
|091110
| [http://www.iptechinside.com/labs/projects/list_files/jquarks-for-surveys developer statement updated to version 1.0.1] 101110
|-
|style="background:#cef2e0; color:black" |

== RSform! 1.0.5 ==
|Multiple vulnerabilities - LFI, SQLi
|061110
| [http://www.rsjoomla.com/customer-support/documentations/12-general-overview-of-the-component/46-rsform-changelog.html developer announcement of security release]to 1.0.6 091110
|-
|style="background:#cef2e0; color:black" |

== ccinvoices ==
|SQLi for [http://www.chillcreations.com/ ccinvoices]
|051110
|Developer Upgrade release to ccInvoices_110RC3 061110
|-
|style="background:red; color:white" |

== sponsorwall ==
|SQL injection pulseextensions.com
|011110
|
|-
|style="background:red; color:white" |

== Flip wall ==
|SQL injection pulseextensions.com
|011110
|
|-
|style="background:#cef2e0; color:black" |

== K2 joomlaworks ==
| http://getk2.org/ k2 xss
|
|[http://getk2.org/ version 2.4.1]
|-
|style="background:#cef2e0; color:black" |

== Mosets Tree 2.1.5 ==
|Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI
|
|[http://forum.mosets.com/forumdisplay.php?f=2 developer relase statement and change log]
|-
|style="background:red; color:white" |

== Freestyle FAQ 1.5.6 ==
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 ‎SQL Injection
|
|
|-
|style="background:#cef2e0; color:black"|

== JE FAQ Pro ==
|[http://www.jextn.com/ Je faq pro] various reports
|090910
|[http://www.jextn.com/joomla-faq-component-extensions-downloads Developer update notice]
|-
|style="background:red; color:white" |

== iJoomla Magazine 3.0.1 ==
|iJoomla Magazine 3.0.1 RFI
|090910
|
|-
|style="background:red; color:white" |

== Clantools ==
|
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli
|090910
|
|-
|style="background:red; color:white" |

== jphone ==
|jphone LFI
|090910
|
|-
|style="background:#cef2e0; color:black"|

== Gantry Framework ==
|SQli injection
|050910
|[http://www.gantry-framework.org/news Update to 3.0.11]
|-
|style="background:red; color:white" |

== PicSell ==
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]
|020910
|
|-
|style="background:#cef2e0; color:black"|

== JE FAQ Pro ==
|[http://www.jextn.com/joomla-faq-component-extensions-downloads/ SID]
|020910
|[http://www.jextn.com/joomla-faq-component-extensions-downloads Developer update notice]
|-
|style="background:red; color:white" |

== Zoom Portfolio ==
|SID
|020910
|
|-
|style="background:red; color:white" |

== zina ==
|[http://www.pancake.org/zina/ SQL Injection]
|020910
|
|-
|style="background:red; color:white" |

== Team's ==
|[http://www.joomlamo.com Teams extension] SQL Injection
|120810
|
|-
|style="background:red; color:white" |

== Amblog ==
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi
|120810
|
|-
|style="background:red; color:white" |

== ==
|
|
|
|-
|style="background:#cef2e0; color:black"|

== Graffiti Wall ==
|[http://extensions.joomla.org/extensions/extension-specific/jomsocial-extensions/13263 Graffiti Wall] for [http://www.joomplace.com/forum/jomsocial-plugins/jomsocial-plugins/graffiti-wall-permissions-777.html jomsocial silent 777]
|310710
|[http://extensions.joomla.org/extensions/extension-specific/jomsocial-extensions/13263 Dev statement 1.1 - is security release]. Folder permission was set by default as 777 that is unsecure.
|-
|style="background:#cef2e0; color:black"|

== Spielothek ==
|http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation
|290710
|Dev states version 1.7.1 resolves issues 020810
|-
|style="background:#cef2e0; color:black"|

== Aardvertiser ==
|http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777
|290710
|[http://sourceforge.net/projects/aardvertiser/forums/forum/989030/topic/3788365 dev announces silent 0777 fixed in Version 2.1 290710]
|-
|style="background:#cef2e0; color:black"|

== FW Real Estate Light ==
|http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777
|290710
|[http://www.fastw3b.net/fw-real-estate-light.html version 1.1 reported as fixed 777 issue]
|-
|

== ==
|
|
|
|-
|style="background:#cef2e0; color:black"|

== jDownloads ==
|http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting
|2807110
|1.7.4 RC3 Build 771 update on Jul 29 to remove 0777
|-
|style="background:#cef2e0; color:black"|

== TTVideo ==
|[http://www.toughtomato.com TTVideo 1.0 Joomla] SQL Injection Vulnerability
|270710
|[http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/ dev updated the component to prevent this]. 280710
Users are no longer able to download the previous version.
|-
|style="background:#cef2e0; color:black"|

== frei-chat2.0 ==
|http://code.google.com/p/frei-chat/downloads/list xss vulnerability
|230710
|[http://code.google.com/p/frei-chat/downloads/list Dev announcement to fix] 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710

|-
|style="background:#cef2e0; color:black"|

== QContacts ==
|http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 '''Version: 1.0.4 reported, current version 1.0.6'''
|220710
|Devleoper states [http://www.latenight-coding.com/news/joomla/supposed-vulnerability-qcontacts-104.html unproven report and no POC]
|-
|style="background:red; color:white" |

== Jomtube ==
|http://www.jomtube.com/ SID
|220710
|
|-
|style="background:#cef2e0; color:black"|

== mysms ==
|http://www.willcodejoomlaforfood.de/ Upload Vulnerability
|july 10,2010
|290710 [http://www.willcodejoomlaforfood.de/ released the version 1.5.12.]
|-
|style="background:red; color:white" |

== Rapid Recipe ==
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2
|july 10,2010
|
|-
|style="background:red; color:white" |

== Health & Fitness Stats ==
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010
|
|
|-
|style="background:red; color:white" |

== staticxt ==
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided
|
|
|-
|style="background:#cef2e0; color:black"|
== EasyBlog ==
|http://stackideas.com/products/easyblog.html xss (new report) july 10,2010
|
|[http://extensions.joomla.org/extensions/news-production/blog/12630 developer reported fix available on site ]
|-
|style="background:#cef2e0; color:black"|

== redshop light ==
|http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli
|110710
|[http://redcomponent.com/forum/72-redshop-light/11261-redshop-light-rc2-released-security-release Developer reported fix and upgrade to RC2]
|-
|style="background:red; color:white" |

== quickfaq ==
|http://www.schlu.net sqli
|090710
|
|-
|style="background:red; color:white" |

== Minify4Joomla ==
|http://waltercedric.com/ LFI and xss
|090710
|No longer available to download
|-
|style="background:red; color:white" |

== IXXO Cart ==
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== Music Manager ==
|LFI [http://danieljamesscott.org/software/4-joomla-extensions/4-music-manager.html music manager]
|090710
|[http://danieljamesscott.org/software/4-joomla-extensions/4-music-manager.html Version 0.13 released]
|-
|style="background:red; color:white" |

== PaymentsPlus ==
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability
|090710
|current version 2.20, 2.1.5 not listed on dev site
|-
|style="background:red; color:white" |

== ArtForms ==
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities
|090710
| Old beta extension
|-
|style="background:#cef2e0; color:black"|

== NeoRecruit ==
|neojoomla.com SQL Injection
| neorecruit vers 1.4 060710
|[http://www.neojoomla.com/index.php?lang=en dev statement of fix in 1.4.1 and safe 2.0.5]
|-
|style="background:red; color:white" |

== autartimonial ==
|autartica.be Sqli Vulnerability
|060710
|
|-
|style="background:#cef2e0; color:black"|

== Jobs Pro ==
|instantphp.com/ Sqli
|060710
|[http://www.instantphp.com/news/40-new-releases/153-jobs-133-is-published.html devs] announcement of fix 130710
|-
|

== JPodium ==
|http://www.jpodium.de/ SQL Injection
|060710
|[http://www.jpodium.de/index.php?option=com_content&view=article&id=135:jpodium-not-vulnerable-to-sql-injection&catid=2:newsrotator Devs statement as to not proven]
|-
|style="background:#cef2e0; color:black"|

== Front-End Article Manager System ==
|http://b-elektro.no/ Upload Vulnerability
|040710
|[http://b-elektro.no/index.php dev states resolved]
|-
|style="background:#cef2e0; color:black"|

== addressbook ==
|http://b-elektro.no/ Upload Vulnerability
|040710
|[http://b-elektro.no/index.php dev states resolved]
|-
|

== NijnaMonials ==
|http://ninjaforge.com/ Sqli Vulnerability
|040710
|070410 Discovered to be malicious/false report see [http://nekkidninjas.com/index.php/2010/07/05/there-is-no-sql-injection-vulnerability- devs notice]
|-
|style="background:#cef2e0; color:black"|

== Phoca Gallery ==
|SQL I (wrong download location in report)
|040710
|style="background:#cef2e0; color:black"| deemed malicious report
|-
|style="background:#cef2e0; color:black"|

== socialads ==
|techjoomla.com/ Xss Vulnerability
|040710
|[http://techjoomla.com/joomla-extension-news/socialads-v101-security-update-to-fix-xss-vulnerability-out.html Developers resolved statement]
|-
|style="background:red; color:white" |

== eventcal 1.6.4 ==
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode
|040710
|
|-
|style="background:#cef2e0; color:black"|

== myblog controller ==
|LFI
http://www.azrul.com/
|010710
|[http://www.azrul.com/ MyBlog 3.0.332]
|-
|style="background:#cef2e0; color:black"|

== joomanager ==
|SQli Vulnerability
http://www.joomanager.com
|010710
|[http://www.joomanager.com/component/content/article/3-newsflash/60-joomanager-v13-stable-and-sef-plugins-released.html developer release statement] 260311
|-
|style="background:#cef2e0; color:black"|

== gamesbox ==
|SQL Injection Vulnerability
http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox
|010710
|upgrade to 1.0.10
|-
|style="background:red; color:white" |

== wmtpic ==
|www.webmaster-tips.net various
|010710
|
|-
|style="background:red; color:white" |

== date converter ==
|http://sourceforge.net/projects/date-converter/ sqli
|010710
|
|-
|

== Remository ==
|http://remository.com/ LFI (proc)
|010710
|Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710
|-
|style="background:#cef2e0; color:black"|

== RokBridge 1.0rc12 ==
|http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI
|090810
|[http://www.rockettheme.com/extensions-updates/834-rokbridge-10rc13-released RokBridge has been updated to version 1.0rc13.] 120810
|-
|style="background:red; color:white" |

== real estate ==
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI
|210610
|
|-
|style="background:#cef2e0; color:black"|

== jomsocial ==
|Version: 1.6.288 Multiple XSS
|210610
|[http://www.jomsocial.com/blog/security-patch-for-jomsocial-16x.html 1.6.291 released] 220610

|-
|style="background:#cef2e0; color:black"|

== DOCman ==
|DOCman 1.5.7 DOCman 1.4.0 none specific exploit
|210610
|[http://blog.joomlatools.eu/2010/06/docman-security-announcement.html developer announcement]
|-
|style="background:#cef2e0; color:black"|

== eportfolio ==
|http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability
|200610
|Developer [http://www.joomplace.com/e-portfolio/e-portfolio-description.html announcement ] 270810

|-
|style="background:red; color:white" |

== cinema ==
|SQL injection
|190610
|
|-
|style="background:red; color:white" |

== Jreservation ==
|http://jforjoomla.com/ SQLi Vulnerability
|190610
|
|-
|style="background:#cef2e0; color:black"|

== Super Messenger ==
|axxis.gr xss
|190610
|[http://axxis.gr/forum/viewtopic.php?f=6&t=641 developer release statement 1.4.6]
|-
|style="background:red; color:white" |

== joomdocs ==
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability
|190610
|
|-
|style="background:#cef2e0; color:black"|

== RSComments 1.0.0 ==
|Persistent XSS NOTE: ONLY executes in backend!
|190610
|[http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html Developer update announcement] 210610
|-
|style="background:red; color:white" |

== Live Chat ==
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities
|190610
|
|-
|style="background:red; color:white" |

== Turtushout 0.11 ==
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)
|190610
|
|-
|style="background:red; color:white" |

== BF Survey Pro Free ==
|BF Survey Pro Free SQL Injection Exploit
|190610
|
|-
|style="background:red; color:white" |

== MisterEstate ==
|http://www.misterestate.com/ Blind SQL Injection Exploit
|190610
|
|-
|style="background:red; color:white" |

== RSMonials ==
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit
|190610
|Believed to be 1.5.1 version

|-
|style="background:#cef2e0; color:black"|

== RSComments 1.0.0 ==
|RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted)
|180610
|[http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html Developer update announcement] 210610
|-
|style="background:red; color:white" |

== Answers v2.3beta ==
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652
|180610
|
|-
|style="background:red; color:white" |

== Gallery XML 1.1 ==
|Multiple Vulnerabilities
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504
|180610
|
|-
|style="background:red; color:white" |

== JFaq 1.2 ==
|JFaq 1.2 Multiple Vulnerabilities
|180610
|
|-
|style="background:red; color:white" |

== Listbingo 1.3 ==
|Multiple Vulnerabilities
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062
|180610
|
|-
|style="background:#cef2e0; color:black"|

== PowerMail Pro ==
| PowerMail Pro Local File Inclusion Vulnerability
|
|[http://powermail4joomla.com/forum/showthread.php?tid=163 Dev upadte statement] 151010
|-
|style="background:red; color:white" |

== Alpha User Points ==
|www.alphaplug.com LFI
|180610
|
|-
|style="background:#cef2e0; color:black"|

== Magic Updater ==
|http://software.realtyna.com/ RFI
|170610
|[http://software.realtyna.com/component/content/article/64-security-patch-for-magic-updater-and-translator.html] developer update statement
|-
|style="background:red; color:white" |

== recruitmentmanager ==
|http://recruitment.focusdev.co.uk Upload Vulnerability
|130610
|
|-
|style="background:red; color:white" |

== Info Line (MT_ILine) ==
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file
|120610
|
|-
|style="background:#cef2e0; color:black"|

== Search Log ==
|http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi
|080610
|[http://www.kanich.net/radio/site/searchlog/searchlog-download Developer cited update to version 3.1.1 100710]

|-
|

== iJoobi ==
|jtickets, jsubscription SQL Injection Vulnerability,
jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection,
|090610
|developer states unproven

|-
|style="background:red; color:white" |

== Ads manager Annonce ==
|http://joomla.clubnautiquemarine.fr/
Upload Vulnerability
| 05/06/10
|
|-
|style="background:red; color:white" |

== lead article ==
|http://www.leadya.co.il/ SQLi
|050610
|
|-
|style="background:red; color:white" |

== djartgallery ==
|http://www.design-joomla.eu Multiple Vul
|05/06/10
|
|-
|style="background:red; color:white" |

== Gallery 2 Bridge ==
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability
|

|-
|style="background:red; color:white" |

== jsjobs ==
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability
|
|
|-
|

== ==
|
|
|
|-
|style="background:red; color:white" |

== JE Poll ==
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== MyCar ==
|http://www.unisoft.me/extensions/ sqli ID
|
|[http://www.unisoft.me/mycar/index.php?option=com_smallchat&Itemid=5 Dev announcement update to 1.1]
|-
|style="background:red; color:white" |

== MediQnA ==
|MediQnA LFI vulnerability version : v1.1
|
|
|-
|style="background:red; color:white" |

== JE Job ==
|http://joomlaextensions.co.in/ LFI SQLi
|
|
|-
|style="background:#cef2e0; color:black"|

== BF Quiz ==
|SQL Injection Exploit Version(s) = 1.3.0
|
|[http://www.tamlyncreative.com.au/software/forum/index.php?topic=729.0 Developer update to BF Quiz v1.3.1]
|-
|

== ==
|
|
|
|-
|style="background:#cef2e0; color:black"|

== Ozio Gallery 2 ==
|DT and open email relay
|280510
|[http://oziogallery.joomla.it/index.php?option=com_content&view=article&id=65:rilasciata-la-versione-ozio-gallery-25&catid=2:notizie&Itemid=13&lang=en Developer update and security release] 010610
|-
|style="background:red; color:white" |

== SectionEx ==
|Stack Ideas section Ex LFI
|
|
|-
|style="background:red; color:white" |

== ActiveHelper LiveHelp ==
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp]
|200510
|
|-
|style="background:#cef2e0; color:black"|
== RS Comments ==
|XSS Vulnerability
|
|[http://www.rsjoomla.com/customer-support/documentations/96--general-overview-of-the-component/393-changelog.html - fix posted 210510]
|-
|

== BCA RSS Feed ==
|LFI and other vulnerabilities
|
|Upgrade to [http://ninjaforge.com/index.php?option=com_ninjacentral&page=show_package&id=74&Itemid=236 Ninja RSS Syndicator 1.0.9 or later]
|-
|

== SimpleDownload ==
|http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits
|160510
|updated version (version 0.9.6)
|-
|style="background:red; color:white" |
== JE Quotation Form ==
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI
|
|
|-
|style="background:red; color:white" |

== konsultasi ==
|SQL Injection Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== Aardvertiser ==
|Local File Inclusion Vulnerability
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454
|
|see [http://docs.joomla.org/Vulnerable_Extensions_List#Aardvertiser resolved notice 040810]
|-
|style="background:red; color:white" |

== Seber Cart ==
|Local File Disclosure Vulnerability
|
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]
|-
| style="background:#cef2e0; color:black"|

== FDione Form Wizard ==
|lfi vulnerability
|140510 200510
|[http://dionesoft.com Update to Dione Form Wizard (v. 1.0.4)].
|-
| style="background:#cef2e0; color:black"|

== Custom PHP Pages ==
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability
|
|[http://fijiwebdesign.com Developer declares not vulnerable 140510]
|-
|style="background:red; color:white" |

== Camp26 Visitor ==
|RFI www.camp26.biz
|
|
|-
|style="background:#cef2e0; color:black"|

== iJoomla News Portal ==
|RFI SID
|
|[http://www.ijoomla.com/forum/index.php/topic,4480.0.html Update to 1.5.10]
|-
|
== article Factory Manager ==
|RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html
|may 2010
|can not reproduce and unproven, http://www.thefactory.ro
|-
|style="background:#cef2e0; color:black"|

== Table JX Component ==
|http://www.toolsjx.com/ Table JX Component XSS
|060510 - update 130510
|Version: 1.5.5 considered unsafe, [http://www.toolsjx.com update to 1.5.7]
|-
|style="background:red; color:white" |

== JE Property ==
|JE Property Finder Upload Vulnerability
|
|
|-
|style="background:red; color:white" |

== Noticeboard ==
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability
|
|
|-
|style="background:red; color:white" |

==SmartSite ==
|SmartSite com_smartsite Local File Inclusion Vulnerability
|
|
|-
|style="background:#cef2e0; color:black" |

== ABC ==
|ABC SQL Injection Vulnerability
|
|reported as updated to JED 290410
|-
|style="background:red; color:white" |

== htmlcoderhelper graphics ==
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability
|
|
|-
|style="background:red; color:white" |

== Ultimate Portfolio ==
|Ultimate Portfolio Local File Inclusion Vulnerability
|
|
|-
|style="background:#cef2e0; color:black" |

== huruhelpdesk ==
|http://www.huruhelpdesk.net sqli injection
|
|[http://www.huruhelpdesk.net/forums/8-announcements/392--sql-injection-reveals-user-md5-password-hash Reported fix]
|-
|style="background:red; color:white" |

== Archery Scores ==
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]

|210410
|
|-
|style="background:red; color:white" |

== ZiMB Manager ==
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability
|210410
|
|-
|style="background:red; color:white" |

== Matamko ==
|Matamko Local File Inclusion Vulnerability
|210410
|
|-
|style="background:red; color:white" |

== Multiple Root ==
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/
|
|
|-
|style="background:red; color:white" |

== Multiple Map ==
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com
|
|
|-
|style="background:red; color:white" |

== Contact Us Draw Root Map ==
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com
|
|
|-
|style="background:red; color:white" |

== iF surfALERT ==
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability
|
|
|-
|style="background:red; color:white" |

== GBU FACEBOOK ==
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/
|
|
|-
|style="background:red; color:white" |

== jnewspaper ==
|jnewspaper (cid) SQL Injection Vulnerability
|
|
|-
|style="background:#cef2e0; color:black"|

== JTM Reseller ==
|TM Reseller SQL injection vulnerability
|
|[http://jtmreseller.com/ Developer Update]
|-
|style="background:#cef2e0; color:black" |

== media Mall Factory ==
|SQLi
|200410
| [http://www.thefactory.ro/contact-us/product-update-request.html Solution: update to 1.0.5]

|-
|style="background:#cef2e0; color:black"|

== Gadget Factory ==
|LFi
|200410
|[http://www.thefactory.ro/contact-us/product-update-request.html Solution: update to 1.5.1]
|-
|style="background:#cef2e0; color:black"|

== Deluxe Blog Factory ==
|SQLi
|200410
|[http://www.thefactory.ro/contact-us/product-update-request.html update to 1.1.2]
|-
|

== ==
|
|
|
|-
|style="background:red; color:white" |
== MT Fire Eagle ==

|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com
| 190410
| product considered retired and to be replaced by dev
|-
|
== com properties ==
| http://com-property.com/ SQL I
|
|[http://www.com-property.com/images/fbfiles/files/properties-20100413.txt developer announced fix]
|-
|style="background:red; color:white"|

== Sweetykeeper ==
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/
|120410
|
|-
|style="background:red; color:white"|

== jvehicles ==
|SQL Injection http://jvehicles.com
|120410
|
|-
|style="background:red; color:white"|

== worldrates ==
|http://dev.pucit.edu.pk/
|120410
|
|-
|style="background:red; color:white"|

== cvmaker ==
|http://dev.pucit.edu.pk/
|
|
|-
|style="background:red; color:white"|

== advertising ==
|http://dev.pucit.edu.pk/
|
|
|-
|style="background:red; color:white"|

== horoscope ==
|http://dev.pucit.edu.pk/
|120410
|
|-
|style="background:red; color:white"|

== webtv ==
|http://dev.pucit.edu.pk/
|120410
|
|-
|style="background:red; color:white"|

== diary ==
|http://dev.pucit.edu.pk/
|120410
|-
|style="background:#cef2e0; color:black"|

== Multi-Venue Restaurant Menu Manager (MVRMM) ==
|http://www.focusdev.co.uk/
|120410
||[http://extensions.joomla.org/extensions/vertical-markets/food-a-beverage/10015 Version 1.5.2 Stable Update 4]
|-
|style="background:red; color:white"|

== Memory Book ==
|http://dev.pucit.edu.pk/
|120410
|-
|style="background:#cef2e0; color:black"|

== TRAVELbook ==
| http://www.demo-page.de/
|120410
|[http://www.demo-page.de/de/erweiterungen-mehr-inhalte/travelbook/download.html developers resolution notice 1.0.2]
|-
|style="background:#cef2e0; color:black"|

== AlphaUserPoints ==
|
|[http://www.alphaplug.com/index.php/downloads.html?func=fileinfo&id=31 developer upgrade]

|-
|style="background:red; color:white"|

== JprojectMan ==
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676
|110410
|-
|style="background:#cef2e0; color:black"|

== CKForms ==
|1.3.4 release - Important LFI security fix [http://joomlacode.org/gf/project/ckforms/news/?action=NewsThreadView&id=2814 ]
|07-04-10
|[http://ckforms.cookex.eu/download/download.php upgrade]
|-
|style="background:red; color:white"|

== econtentsite ==
|LFI
|040410
|
|-
|style="background:red; color:white"|

== Jvehicles ==
|ID
|040410
|-
|

== ==
|
|
|-
|style="background:#cef2e0; color:black"|

== smestorage ==
|[http://www.smestorage.com SMEStorage] LFI

|Updated 29 March 10
|[http://gelembjuk.com/index.php?option=com_content&view=section&layout=blog&id=1&Itemid=55 developer fix] to 1.1
|-
|style="background:#cef2e0; color:black"|

== JE Tooltip ==
|[http://joomlaextensions.co.in/formcreator/ JE Tooltip] LFI
|Updated 23 March
|-
|style="background:#cef2e0; color:black"|

== Gift Exchange Beta ==
|[http://extensions.joomla.org/extensions/communities-a-groupware/membership/11680 Gift exchange] SQLi
|Updated 23 March
|[http://socialables.com/28-Jomsocial/Gift-Exchange/flypage.tpl.html upgrade beta 1.0.1]

|-
|style="background:#cef2e0; color:black"|

== RokDownloads ==
|[[http://extensions.joomla.org/extensions/directory-a-documentation/downloads/7967 LFI]]
|15 march 2010
||upgrade to [http://www.rockettheme.com/extensions-updates/638-rokdownloads-10-released version 1.0]
|-
|style="background:red; color:white"|

== gigcalender ==

|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]
|13 march 2010
|
|-
|style="background:red; color:white"|

== heza content ==
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]
|13 march 2010
|
|-
|style="background:#cef2e0; color:black" |

== juliaportfolio ==
|LFI [http://extensions.joomla.org/extensions/directory-&-documentation/portfolio/8519/details juliaportfolio]
|13 march 2010
|[http://www.treidorinte.ro/joomla-extensions/19-joomla-components/467-juliaportfolio-security-upgrade-required withdrawal and update notice]
|-

|style="background:#cef2e0; color:black" |

== Flash Magazine Deluxe ==
|SQL Injection Vulnerability.
|Feb 25
|'''[http://www.joomplace.com/flash-magazine-deluxe/flash-magazine-deluxe-description.html Developer Update Version 2.0.11 09/03/10]'''
|-
|style="background:red; color:white" |

== SqlReport ==
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.
|Feb 20
|'''Not Known'''
|-
|style="background:#cef2e0; color:black" |

== Scriptegrator ==
|Core Design [http://www.greatjoomla.com/extensions/plugins/core-design-scriptegrator-plugin.html Scriptegrator] RFI exploit
|Feb 20
|[http://www.greatjoomla.com/extensions/plugins/core-design-scriptegrator-plugin.html Dev Upgrade announcement]
|-
|style="background:#cef2e0; color:black" |

== AllVideos 3.1 ==
|
A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]|
|17 Feb
| [http://joomlaworks.googlecode.com/files/plg_jw_allvideos-v3.3_j1.5.zip Version 3.3 release 18th]
|-
|style="background:#cef2e0; color:black" |

== RW Cards ==
| [http://extensions.joomla.org/extensions/3430/details RW Card] LFI and ID exploit [http://www.weberr.de/ Dev Site]
|180210
|style="background:#cef2e0; color:black" |''' [http://www.weberr.de/index.php/forum.html?func=view&catid=5&id=1939&limit=6 developer update]'''
|-
|style="background:red; color:white" |

== Yelp ==
| SQLi - Unable to locate developer. Possibly a custom extension.
|Feb 01
|style="background:red; color:white" | ''' Not Known'''
|-
|style="background:#cef2e0; color:black" |

== '''Autartitarot''' ==
|Directory Traversal. Back end access required
| Feb 05
|style="background:#cef2e0; color:black" | ''' Please upgrade to [http://www.autartica.be/en/autartitarot version 1.0.4]'''
|-
|style="background:#cef2e0; color:black" |

== communitypolls ==
|LFI - [http://www.corejoomla.com/ community polls]
|Feb 17
||upgrade to [http://www.corejoomla.com/ version 1.5.3]
|-
|

== ==
|
|
|
|}
<endFeed />

''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance]
''

== Codes used ==
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]

LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]

RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]

DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia]

ID = Information Disclosure: account information or sensitive information publicly viewable

== Future Actions & WIP ==

[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed

to feed VEL direct to twitter

== Notes ==
The RSS feed is currently fed by item entry order and not by date fixed.
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]

----
[[Category:Security]]
[[Category:Security_FAQ]]
[[Category:Component Management]]
----

Archived vel

2011-07-15T09:07:31Z

CirTap: moved Archived vel to Vulnerable Extensions List/Archive/2009-10: poluting Main namespace