http://docs.joomla.org/api.php?action=feedcontributions&user=Mandville&feedformat=atom
Joomla! Documentation - User contributions [en]
2013-05-25T22:37:25Z
User contributions
MediaWiki 1.19.3
http://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
Security Checklist/You have been hacked or defaced
2013-05-21T09:29:33Z
<p>Mandville: update url</p>
<hr />
<div>{{:Security Checklist/TOC}}<br />
== You have been hacked/defaced ?==<br />
We are sorry for any basic language used in this document.<br />
Before you post in the Joomla! Security Forum [http://forum.joomla.org/viewtopic.php?f=432&t=475313 please read this] checklist summary, then use it as a post template.<br />
<br />
=== On Line Action List===<br />
* Take your [[Taking_the_website_temporarily_offline#Using the htaccess method (cpanel)|website offline]] ('''We recommend the htaccess method''')<br />
<br />
* Run the [https://github.com/ForumPostAssistant/FPA/zipball/en-GB forum post assistant and security tool] The simple Instructions are [http://forum.joomla.org/viewtopic.php?f=621&t=582860 available here]. More detailed instructions are included in the download package. You will need to unzip this package and upload the fpa-en.php file to your server Joomla root The FPA is also [https://github.com/ForumPostAssistant/FPA/tarball/en-GB available in a tar.gz package] for those who desire or need a unix style package. The fpa-en.php file from the package will need to be uploaded to your server Joomla root.<br />
<br />
* Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see [[#Local_Security|Local Security]] below)<br />
<br />
* Ensure you have the '''latest version''' of [http://www.joomla.org/download.html Joomla] <br />
<br />
* '''Notify your host''' and work with them to clean up the site, and to make sure there are no back doors to your site.<br />
<br />
* Review [http://vel.joomla.org/ Vulnerable Extensions List] to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,<br />
<pre>//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:</pre><br />
or<br />
<pre>../../../../../../../../../../../../../../../../proc/self/environ</pre><br />
<br />
* Review and action [[Security Checklist]] to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).<br />
<br />
* '''Change all passwords''' and if possible user names for the domains control panel, mysql, FTP, [[Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F|Joomla! Super Admin]], and Joomla! Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases. <br />
* Do not use the standard Admin user, [[Why_should_you_immediately_change_the_name_of_the_default_admin_user%3F|disable it]]. If you need to reset your admin password, see [[How_do_you_recover_your_admin_password%3F|these instructions]]. <br />
<br />
* '''Replace''' all templates and files with clean copies,<br />
* '''Check''' and/or replace all .pdf, image, photo files for exploits<br />
* Check you server logs for IP's calling suspicious files or attempting POST commands to non-form's<br />
* Use proper permissions on files and directories. They '''should never be 777<ref>Permissions should never be 777</ref>, but ideal is 644 for files and 755 folders'''.<br />
* Disable [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/AnonymousFTP anonymous] FTP<br />
<br />
== chmod and cron ==<br />
<br />
IF you have permissions to access SSH (secure shell) via putty you can chmod the files and directories.<br />
If you do not have shell access, you can run the commands from [http://en.wikipedia.org/wiki/Cron cron] by setting up a temporary cron job. Copy and paste the command into a cron job. Run the job about 2 minutes after saving the job.<br />
When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.<br />
<br />
For files use:<br />
<br />
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -exec chmod 644 {} \;</pre><br />
<br />
and for directories use:<br />
<br />
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;</pre><br />
<br />
=== Monitoring for File Changes ===<br />
To check for recent file changes on your system use these commands from putty (SSH - secure shell) or via a cron job.<br />
If you run the command from a cron job you can schedule it to check for changed files several times each day.<br />
Results will be sent to the domain account owner and show the time/date stamp for any changed files.<br />
When using the command by putty or a cron job, the use of the full physical path to public_html is recommended<br />
for best results.<br />
<br />
<pre>find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;</pre><br />
<br />
Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.<br />
<br />
== 777 Permissions ==<br />
'''If''' the server your are on requires 777 permissions for Joomla to work correctly,<br />
then''' request to be put on another server''' with php as cgi and suphp and up-to-date<br />
serverside software (apache, php etc) on your existing host or find another server host if necessary.<br />
<br />
To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.<br />
<pre># secure directory by disabling script execution<br />
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi<br />
Options -ExecCGI</pre> especially in your images folder<br />
* Make sure that is in a htaccess file in a directory that will not run any scripts or remove the extensions as required<br />
<br />
Do check with your hosting provider to see if they have purposely secured the server your site is on; and that they '''or you''' perform regular (weekly) security updates to keep the server up to date.<br />
Check you have jail shell. <br />
A rule of thumb is the less you pay, the less they care<br />
<br />
== A Safe route for disaster relief ==<br />
* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)<br />
* wipe the entire folder where Joomla! is installed<br />
* upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x (minus the install folder)<ref>Incompatible Versions</ref><br />
* reupload your configuration file & images.<br />
* reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)<br />
<br />
To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.<br />
<br />
=== Local Security ===<br />
<br />
* Don't store user name/password in ftp program<br />
** Use a password manager such as the free [http://keepass.info/ keepass]<br />
<br />
* Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.<br />
<br />
* Several packages available are<br />
** [http://www.eset.com/ ENOD32] from eSet<br />
** [http://www.safer-networking.org/ Spybot Search and Destroy]<br />
** [http://www.malwarebytes.org/ Malwarebytes]<br />
** [http://www.microsoft.com/security/ Microsoft Malicious Software Removal Tool]<br />
** [http://www.free-av.com/de/tools/12/avira_antivir_rescue_system.html Linux AntiVirus boot cd]<br />
** [http://www.javacoolsoftware.com/spywareblaster.html spyware blaster]<br />
** [http://www.siteadvisor.com/ siteadvisor]<br />
* Consider the [http://ubcd4win.com/ Ultimate Boot CD for Windows] used for repairing, restoring, or diagnosing almost any home computer problem<br />
<br />
=== Other Considerations ===<br />
<br />
* Do not use the standard jos_ table prefix and avoid one click installers where possible<br />
<br />
* Set the [http://feeds.joomla.org/JoomlaSecurityNews?format=xml joomla security newsfeed] as the main top module in your joomla admin control panel. [[Screen.modulesadministrator.edit.15#Feed_Display|Set up the Security Newsfeed]] <br />
** [[Screen.modulesadministrator.edit.15#How_to_access|Add the Admin Feed Display Module]] if it is missing. Enable it to the first place on your sites back end control panel.<br />
<br />
* Consider adding a [http://forum.joomla.org/viewtopic.php?p=1568940#p1568940 bot block list] to your .htaccess file<br />
<br />
* Use [http://en.wikipedia.org/wiki/SSH_file_transfer_protocol sFTP] instead of FTP where possible<br />
<br />
* Do not enable or use [http://en.wikipedia.org/wiki/File_Transfer_Protocol#Anonymous_FTP anonymous ftp] accounts for any reason.<br />
<br />
* Use a server that has [http://www.modsecurity.org/ mod_security] installed properly<br />
<br />
* Check for any added sub domains and/or added directories<br />
<br />
* Check for any [http://en.wikipedia.org/wiki/Common_Gateway_Interface cgi scripts]<br />
<br />
* Check [http://en.wikipedia.org/wiki/Cron cron] for any cron jobs not set up by domain administrator<br />
<br />
* Download and <ref>Review raw access and error logs.</ref><br />
<br />
* Deny any IP's that you got to the IP ban on your site but it may belong to a proxy site.<br />
<br />
'''Was your site hacked in the past''' and proper site sanitation not used to remove actual<br />
(and hidden) hack thus leaving a backdoor for reinfection.<br />
<br />
* Consider removing "[http://docs.joomla.org/How_do_you_remove_or_change_the_%22Welcome_to_the_Frontpage%22_title%3F welcome to the front page]" to reduce [http://www.google.co.uk/search?q=intext%3A+welcome+to+the+front+page+joomla& search engine attacks]. <br />
<br />
* Completely remove/uninstall, don't unpublish unused or vulnerable extensions. [[Why_isn't_un-publishing_a_vulnerable_extension_enough_to_protect_your_site%3F|Un-publishing a vulnerable extension will not protect your site.]]<br />
<br />
=== Malicious Code or Odd Links appearing on your site ===<br />
<br />
Check that the original template file does or does not insert the [http://forum.joomla.org/viewtopic.php?f=432&t=411735 unwanted code/Malicious Javascript ] or that you downloaded a paid for template from a non trusted source eg file sharing sites<br />
<br />
'''[http://www.iss.net/threats/gumblar.html Gumblar]''' doesn’t use any particular script vulnerability.<br />
This script is injected into every web page ( I would imagine though not confirmed, if infected page is edited then saved it will also be in database) on a site.<br />
Script changes every time it is accessed.<br />
It has been seen on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.<br />
The script starts with ''(function('' and has no name and is obfusticated.<br />
A common Gumblar version breaks sites due to a bug in script.<br />
<br />
'''iFrames'''<br />
<br />
In recent iframe exploits the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.). [http://forum.joomla.org/viewtopic.php?f=432&t=411735 Related Forum Sticky]<br />
<br />
=== Contributors & Editing === <br />
[http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 mandville]<br />
[http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
[http://forum.joomla.org/memberlist.php?mode=viewprofile&u=3701 fw116]<br />
[http://forum.joomla.org/memberlist.php?mode=viewprofile&u=322239 JeffChannell]<br />
[http://forum.joomla.org/memberlist.php?mode=viewprofile&u=339316 dynamicnet]<br />
<br />
== References ==<br />
<references/><br />
When your hosting provider runs PHP as an Apache Module it executes as the user/group of the webserver which is usually "nobody", "httpd" or "apache". Under this (ownership) mode, files or directories that you require your php scripts to be able to write do need 777 permissions (read/write/execute at user/group/world level) if the ownership of the files and directories are not Chown (Change Owner) to the User. Such a scenario is absolute unacceptable from a security perspective since '777' not only allows the webserver to write to the file; it also allows anyone else to read or write to the file.<br />
If your provider is not able to change this, one should strongly consider changing host!<br />
<br />
'''Logs'''<br />
Make sure that in your control panel your raw access logs have been activated for review!<br />
<br />
Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!<br />
<br />
'''Incompatible Versions'''<br />
This document applies to all versions of Joomla. Use the latest version of Joomla that is compatible with your existing Joomla website site version to repair your site. Some version upgrades require a [[Migrating_from_Joomla_1.5_to_Joomla_2.5|site migration]] and will render your Joomla site inoperative if used to overwrite an earlier version of Joomla. For example: Do not overwrite a 1.5.xx site with version 2.5.xx of Joomla. Doing so will leave the site in an inoperative state.<br />
<br />
[[Category:FAQ]]<br />
<!-- KEEP THIS AT THE END OF THE PAGE --><br />
[[Category:Security Checklist]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-05-19T17:46:45Z
<p>Mandville: /* Developers - How to get yourself removed from the VEL */</p>
<hr />
<div><br />
<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
Please refer to there for the latest updates}}<br />
<br />
<!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
{{notice|small=yes|image=Stop hand nuvola.svg<br />
|header=Procedure change|All reports are now to be made via vel.joomla.org}}<br />
Report Vulnerable extensions in the [http://vel.joomla.org vel website]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
Please refer to there for the latest updates}}<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5-complete the resolution form on the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3]<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-05-19T17:45:01Z
<p>Mandville: /* Check and Report. */</p>
<hr />
<div><br />
<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
Please refer to there for the latest updates}}<br />
<br />
<!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
{{notice|small=yes|image=Stop hand nuvola.svg<br />
|header=Procedure change|All reports are now to be made via vel.joomla.org}}<br />
Report Vulnerable extensions in the [http://vel.joomla.org vel website]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
Please refer to there for the latest updates}}<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3]<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-05-19T17:41:22Z
<p>Mandville: made instructions even simpler</p>
<hr />
<div><br />
<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
Please refer to there for the latest updates}}<br />
<br />
<!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
{{notice|small=yes|image=Stop hand nuvola.svg<br />
|header=Procedure change|All reports are now to be made via vel.joomla.org}}<br />
Report Vulnerable extensions in the [http://vel.joomla.org]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013]<br />
Please refer to there for the latest updates}}<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3]<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Publishing_to_JED
Publishing to JED
2013-05-13T21:12:13Z
<p>Mandville: update vel link</p>
<hr />
<div>{{RightTOC}}<br />
This file its considered a complement of Joomla! Extensions Directory [http://extensions.joomla.org/tos Terms of Service (TOS)] for extensions developers.<br />
<br />
Inclusion in the Joomla! Extensions Directory is a privilege, not a right and is at the sole discretion of the Joomla! Extensions Directory team and the Community Leadership Team (CLT). Any listing can be removed at any time at the discretion of the Joomla! Extensions Directory team without notice.<br />
<br />
==Your files==<br />
===Coding===<br />
* [[Language_Guidelines_for_3rd_Party_Extensions|Language Guidelines for 3rd Party Extensions]]<br />
* [[Extensions_GPL_notices|Extensions GPL notices]]<br />
* [[Components:xml_installfile|Components:xml installfile]]<br />
* [[Manifest_files|Joomla! Manifest Files]]<br />
* [[Setting_up_your_workstation_for_extension_development|Setting up your workstation for extension development]]<br />
<br />
===Licensing===<br />
* [[Extensions_and_GPL|Extensions and GPL]]<br />
* [[Extensions_GPL_notices|Extensions GPL notices]]<br />
* [[JED_Entries_License_Checklist|JED Entries License Checklist]]<br />
<br />
====Can I submit non-GPL licensed extensions?====<br />
<br />
No. Since March 1st 2009, only Joomla! extensions licensed under the GNU GPL will be accepted into the JED. Read this [http://community.joomla.org/blogs/leadership/636-jed-to-be-gpl-only-by-july-2009.html blog post for more information]<br />
<br />
===Free or commercial?===<br />
* To select on business model see: [[Free_and_Commercial_extensions|Free and Commercial extensions]]<br />
<br />
===Naming===<br />
* [[Extensions_name|Extensions name]]<br />
<br />
===Packing===<br />
* Packing your extensions [[Extensions_packing|Extensions packing]]<br />
* [[Extensions_and_GPL#Extensions_pack_-_general_requirements|Extensions pack - general requirements]]<br />
<br />
===Distribution===<br />
Its important to have your files always a available to download<br />
* See how we can help you distributing your file [[Extensions_distribution|Extensions distribution]]<br />
<br />
===Extensions Security===<br />
* Tutorial: [[Securing Joomla extensions]]<br />
* FAQ: [[Security_and_Performance_FAQs#Joomla.21_Extensions|Security and Performance FAQs - Extensions Security]]<br />
<br />
==Your actions==<br />
===Submiting files===<br />
* Tutorial: [[How_do_you_list_your_extension_in_the_extensions_site%3F|How do you list your extension in the extensions site?]]<br />
<br />
====Extensions compatibility====<br />
'''Joomla! 1.0 compatible extensions''' - Since March 31st 2009, JED no longer accepts Joomla! 1.0 compatible-only extensions.<br />
* Read the [http://community.joomla.org/blogs/community/629-jed-will-phase-out-joomla-10-extensions-in-june-2009.html announcement]<br />
'''Joomla! 1.5/1.6/1.7 compatible extensions''' - Since April 1st, 2012, JED no longer accepts Joomla! 1.5/1.6/1.7 compatible-only extensions.<br />
* Read the [http://community.joomla.org/blogs/leadership/1566-the-jed-and-version-support.html announcement]<br />
<br />
====Submission Checklists====<br />
Your submission will be reviewed in a 4 steps process. Before you submit a file to JED you should also take the same steps to avoid delays in publishing:<br />
* Step A - [[JED_Entries_Submission_Checklist|Submission Checklist]]<br />
* Step B - [[JED_Entries_Trademark_Checklist|Trademark Checklist]]<br />
* Step C - [[JED_Entries_License_Checklist|License Checklist]]<br />
* Step D - [[JED_Entries_Installation_and_Functionality_Checklist|Installation and Functionality Checklist]]<br />
<br />
====How can I help to speed up my extension's approval time?====<br />
There are several ways you can help the extension submission process go faster and smoother.<br />
As you may know, the Joomla! Extension Directory is supported by volunteers and it takes time to go through all the extensions.<br />
You can help to speed up the approval process by making sure your extension:<br />
# uses GPL license and include [http://docs.joomla.org/Extensions_GPL_notices proper notices].<br />
# follows [http://opensourcematters.org/logo-usage-and-brand-guide.html Joomla's Logo and Brand guidelines].<br />
# has [http://opensourcematters.org/index.php?option=com_content&view=article&id=86 permission to use Joomla trademark] if your extension or site uses Joomla!'s trademark.<br />
# if using Joomla word, its an approved name: see [http://opensourcematters.org/extension-name-request.html Form for name request ].<br />
# does not conflict with other extension names [http://docs.joomla.org/Extensions_name Extensions name FAQ]<br />
# has valid links: [http://docs.joomla.org/Extensions_distribution see how we can help in distribution].<br />
# is downloadable by front-end/public/registered or guest user.<br />
# use the JEDChecker tool to find common submission errors: [http://extensions.joomla.org/extensions/tools/development-tools/21336 JEDChecker]<br />
# is installs on Joomla! unless your submission is for Tools category.<br />
# is installs and un-installs without error (please test it in different environments).<br />
# has all versions marked attached to listing<br />
# is compatible with the current supported Joomla! version<br />
# you do not impose additional restrictions on the usage, distribution or modification of the extension<br />
# does not require any type of 'key' to function (if you use a support/update key that calls home, it must be disabled by default - we highly recommend using the core Joomla updater released from version 1.6+ to avoid any issues)<br />
<br />
===Voting===<br />
You are not allowed to vote for extensions:<br />
* on same category as your files<br />
* those considered direct competition<br />
* your own files<br />
* if you have been suspended previously for fraudulent voting<br />
This applies also to people directly related to you: family, colleagues, employees and partners.<br />
<br />
===Promoting===<br />
* Soliciting reviews and votes: Extensions may only solicit votes and/or reviews in the manner defined in the TOS<br />
<br />
==Users actions on your entries==<br />
===Reviewers===<br />
====How can I, as a developer, get in contact with this particular reviewer?====<br />
You can´t. Identity of JED users will never be revealed. What we can do is to invite a user to contact developer when developer wants to help out with an issue raised in reviews. Developer should then provide us with contact details, and then we will provide this information to the user.<br />
<br />
<br />
==JED Categorization==<br />
===Can I suggest some changes to categorization?===<br />
Categories in JED is constantly evolving to cope with the increasing amount of extensions. We strive to provide a good categorization to fit all extensions listed in JED. If you feel that an extension deserved to be in another existing or new category, please use the "Report This" button and let us know about your suggestion. You can also open a support ticket.<br />
<br />
===Which category should I publish my extension?===<br />
If you are unsure where to publish your extension, a good starting point would be to look at other related extensions and find where they are listed.<br />
<br />
===Can I submit multiple listings at different categories for the same extension?===<br />
No. You are allowed to list your extension once in a category in JED.<br />
<br />
===Can I have my extensions listed at different categories?===<br />
No. Extensions can be listed in one category only.<br />
<br />
===What should I do if my extension is suitable to be listed in multiple categories?===<br />
We suggest that you use the Description field in your extension listing to communicate the suitability of your extension in other areas.<br />
<br />
===Can I request an Extension Specific Category?===<br />
Extension specific categories can be requested by a developer but are created at the sole discretion of the Joomla! Extensions Directory team and the CLT.<br />
In general, extension specific categories are created when there are 5 or more published extension-specific listings for a parent extension created by developers. To request an extension-specific category, open a [http://extensions.joomla.org/component/maqmahelpdesk/ Support Ticket] and provide a link to the listings that would go into the new category. <br />
Developers are welcome to create extension specific listings for other extensions.<br />
<br />
==Directory Rules==<br />
Joomla! Extensions Directory [http://extensions.joomla.org/tos Terms of Service (TOS)]<br />
===Trademarks===<br />
====Joomla! Trademark====<br />
The Joomla! name and logos are registered trademarks in the United States and elsewhere held by Open Source Matters. Permission, from OSM, to use these trademarks is usually required and is only granted subject to specific rules<br />
Trademarks [[JED_Entries_Trademark_Checklist|Trademark Checklist]]<br />
====3rd party trademarks====<br />
* Protecting trademarks<br />
* Name conflicts<br />
<br />
===Security Problems===<br />
When an extension its confirmed insecure it is unpublished from JED and listed at VEL (Vulnerable Extensions List)<br />
* FAQ: [[How_do_you_choose_secure_extensions%3F|How do you choose secure extensions?]]<br />
* FAQ: [[Why_does_the_Extensions_site_include_insecure_extensions%3F|Why does the Extensions site include insecure extensions?]]<br />
* [http://community.joomla.org/blogs/community/1111-the-vel-reporting-procedure-explained.html The Vulnerable Extension List procedure explained]<br />
** Vulnerable Extensions List: [http://vel.joomla.org]<br />
<br />
===Names and Alias===<br />
Each entry gets its own ID. A name alias will be created for that entry<br />
* [[Extensions_name|Extensions name]]<br />
<br />
===Forked extensions===<br />
We support the original project developer whenever possible to maintain the integrity of the listings and also support developers who are building and innovating on the Joomla platform. To have a forked project listed in the JED it must meet additional requirements over original extension<br />
* FAQ: [[Forked_Extensions|Forked Extensions]]<br />
<br />
==JED Editors actions==<br />
===Rejecting===<br />
* FAQ: [[Why_was_your_extension_rejected_from_being_listed%3F|Why was your extension rejected from being listed?"]]<br />
<br />
===Unpublishing===<br />
When an entry its unpublished a short note its displayed in the public page. An email is sent to the developer. You can contact with JED team by the [http://extensions.joomla.org/component/maqmahelpdesk/ Ticket Support System] to solve issues and get your extension republished.<br />
<br />
See [http://extensions.joomla.org/index.php?option=com_content&id=53 Description of Unpublish Reason Codes (UR Codes)] for more information on how to solve issues with your listing.<br />
<br />
===Violations ans Suspensions===<br />
See Terms of Service [http://extensions.joomla.org/tos TOS, J- Violations]<br />
<br />
==JED Team Contact==<br />
* Forum to discuss general issues [[jforum:262|JED Forum]]<br />
* [http://extensions.joomla.org/component/maqmahelpdesk/ Ticket Support System] for listings (the JED does not handle listing support through email, only through our ticket support system)<br />
<br />
==Additional reading==<br />
* Directory TOS: [http://extensions.joomla.org/tos Terms of Service (TOS)]<br />
* GPL FAQ for extensions: [[Extensions_and_GPL|Extensions and GPL]]<br />
* See more FAQs: [[Category:JED|JED additional Faq]]<br />
* Help: http://extensions.joomla.org/help2<br />
<br />
[[Category:JED]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-05-01T23:46:17Z
<p>Mandville: </p>
<hr />
<div><br />
<br />
{{notice|This document has now been replaced by the website at [http://vel.joomla.org/] vel.joomla.org from 1st May 2013<br />
Please refer to there for the latest updates}}<br />
<br />
<!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
{{notice|small=yes|image=Stop hand nuvola.svg<br />
|header=Procedure change|All reports are now to be made via vel.joomla.org.}}<br />
Report Vulnerable extensions in the [[http://vel.joomla.org|vel.joomla.org]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3]<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-05-01T00:11:33Z
<p>Mandville: </p>
<hr />
<div>This document has now been replaced by the website at [http://vel.joomla.org/ from 1st May] 2013<br />
Please refer to there for the latest updates<br />
<br />
<!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3]<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-29T20:02:01Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3]<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-28T07:34:33Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|style="background:red; color:white" |<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-28T07:33:01Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
<br />
|-<br />
|<br />
== civic crm 422==<br />
|upload exploit /RFI<br />
|260413<br />
|developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1<br />
|-<br />
|<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-26T19:47:42Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-23T08:27:14Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|<br />
== alfcontact ==<br />
|xss<br />
|230413<br />
|<br />
<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-16T18:56:33Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|<br />
== aiContactSafe 2.0.19 ==<br />
|xss<br />
|160413<br />
|developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-04-06T20:38:17Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] <br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-03-18T23:33:22Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSfiles==<br />
|SQL<br />
|180313<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-02-28T02:44:24Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-01-23T08:55:04Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Collector ==<br />
|Various [steevo.fr]<br />
|230113<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== KSAdvertiser ==<br />
| RFI <br />
|160712<br />
|The security update version 1.5.72 advise can be found here:<br />
[http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Shipping by State for Virtuemart ==<br />
|elevated permissions (http://web-expert.gr/en)<br />
|160612<br />
| [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ownbiblio 1.5.3 ==<br />
|SQLi + <br />
|250512<br />
|<br />
|-<br />
|<br />
<br />
== Ninjaxplorer <=1.0.6 ==<br />
|developer notification<br />
|250412<br />
|developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Phoca Fav Icon ==<br />
|Permissions Rewrite<br />
|150412<br />
| [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== estateagent improved ==<br />
|sqli (eaimproved.eu)<br />
|110412<br />
|developer states previous version, not current version<br />
|-<br />
|<br />
<br />
== bearleague ==<br />
|110412<br />
|sql <br />
|(no longer maintained)<br />
|-<br />
|<br />
<br />
== JLive! Chat v4.3.1 ==<br />
|DT <br />
|060412<br />
|Developer reports [http://www.cmsfruit.com/security-measures.html as unproven]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== virtuemart 2.0.2 ==<br />
|SQLi <br />
|050412<br />
|developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released<br />
|-<br />
|<br />
<br />
== JE testimonial ==<br />
|SQLi <br />
|230312<br />
|Developer states '''malicious report.'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JaggyBlog ==<br />
|excessive file permission <br />
|090212<br />
|version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Quickl Form ==<br />
|xss<br />
|260112<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== com_advert ==<br />
|sqli - unknown developer<br />
|240112<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla Discussions Component ==<br />
|sqli <br />
|180112<br />
|Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== HD Video Share (contushdvideoshare) ==<br />
|sqli <br />
|180112<br />
|updated [http://www.hdvideoshare.net version 2.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
== January 2011 - Jan 2012 Reported Vulnerable Extensions ==<br />
<br />
<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes]<br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Simple File Upload 1.3 ==<br />
|RFI<br />
|010112<br />
| Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Dshop ==<br />
|sqli (possibly dhrusya.com)<br />
|201111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== QContacts 1.0.6 ==<br />
|sqli <br />
|131211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jobprofile 1.0 ==<br />
| SQL Injection Vulnerability<br />
|051211<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JX Finder 2.0.1 ==<br />
| XSS Vulnerabilities<br />
|011211<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wdbanners ==<br />
|Unknown Exploit<br />
|301111<br />
|<br />
|-<br />
|<br />
== JB Captify Content J1.5 and J1.7 ==<br />
|Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip<br />
|141111<br />
|All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Microblog ==<br />
|Security checks missing - J1.7 only. Versions prior to 1.10.3 <br />
|14111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Slideshow <3.5.1, ==<br />
|Security checks missing<br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
<br />
== JB Bamboobox ==<br />
|Security checks missing - J1.5 all versions prior to 1.2.2 <br />
|141111<br />
|All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.<br />
|-<br />
|<br />
== RokModule ==<br />
|SQLI - exploits RokStock RokWeather RokNewspager<br />
|121111<br />
|developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== hm community ==<br />
|Multiple Vulnerabilities<br />
|011111<br />
|developer release [http://joomlaextensions.co.in/product/HM-Community 1.01]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Alameda ==<br />
|SQLi<br />
|01111<br />
|developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Techfolio 1.0 ==<br />
|Techfolio 1.0 SQLI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Barter Sites 1.3 ==<br />
|Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities<br />
|291011<br />
|developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jeema SMS 3.2 ==<br />
|Jeema SMS 3.2 Multiple Vulnerabilities<br />
|291011<br />
|developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Vik Real Estate 1.0 ==<br />
|Vik Real Estate 1.0 Multiple Blind SqlI<br />
|291011<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== yj contact ==<br />
|LFI (youjoomla contact)<br />
|241011<br />
|developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== NoNumber Framework ==<br />
| Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview<br />
|181011<br />
|see http://feeds.feedburner.com/nonumber/news for updates of various extensions<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Time Returns ==<br />
|SQLi takeaweb.it<br />
|151011<br />
|No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple File Upload ==<br />
|LFI <br />
|300811<br />
|developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jumi ==<br />
|LFI<br />
|300811<br />
|Developer states proper use of joomla administration/extension documentation reading<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomla content editor ==<br />
|JCE lfi/rfi vulnerability<br />
|<br />
|JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released]<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Google Website Optimizer ==<br />
|Numerous vulnerabilities. Website Optimizer, Pearl Group<br />
|290811<br />
|developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Almond Classifieds ==<br />
|777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) <br />
|260811<br />
|developer resolution [http://www.almondsoft.com/acj/ notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== joomtouch ==<br />
|LFI/RFI<br />
|180811<br />
|developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== RAXO All-mode PRO ==<br />
|Timthumb RFI <br />
|110811<br />
|[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== V-portfolio ==<br />
|DT - open folders<br />
|110811<br />
| [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== obSuggest ==<br />
|LFI<br />
|310711<br />
|developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Simple Page ==<br />
|LFI <br />
|230711<br />
|developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story ==<br />
|LFI <br />
|230711<br />
|[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== appointment booking pro ==<br />
|LFI 22071<br />
|<br />
|[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable,<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== acajoom ==<br />
|xss (admin permission required)<br />
|220711<br />
|updated to 5.20<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== gTranslate ==<br />
|ID - <br />
|220711<br />
|[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26.<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== alpharegistration ==<br />
|http://www.alphaplug.com/ Please contact the developer for any questions on this extension<br />
|170711 220711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Jforce ==<br />
|DT - <br />
|170711<br />
| [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Flash Magazine Deluxe Joomla ==<br />
|ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities]<br />
|170711<br />
|[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== AVreloaded ==<br />
|SQLi - version 1.2.6<br />
|150711<br />
|[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Sobi ==<br />
|SQLI - <br />
|130711<br />
|[http://www.sigsiu.net/changelog developer fix and update statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== fabrik ==<br />
|sqli <br />
|120711<br />
|[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1]<br />
|-<br />
|<br />
<br />
== xmap ==<br />
|sqli 1.2.11 <br />
|120711<br />
|upgrade to 1.2.12<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Atomic Gallery ==<br />
|Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] <br />
|110711<br />
|developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog]<br />
|-<br />
|<br />
<br />
== myApi ==<br />
|ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] <br />
|020711<br />
|[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== mdigg ==<br />
|SQL I (not listed in JED)<br />
|020711<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Calc Builder ==<br />
|sqli + ID<br />
|180611<br />
| [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Cool Debate ==<br />
|Cool Debate 1.03 LFI<br />
|<br />
| version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Scriptegrator Plugin 1.5.5==<br />
|LFI<br />
|140611<br />
| [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Joomnik Gallery ==<br />
|SQLi<br />
|<br />
|[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JMS fileseller ==<br />
|LFI <br />
|0611<br />
|[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sh404SEF ==<br />
|low-level XSS security issue<br />
|300511<br />
|[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JE Story submit ==<br />
|LFI/RFI <br />
|<br />
|[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== FCKeditor ==<br />
|File Upload Vulnerability<br />
|230511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== KeyCaptcha ==<br />
|ID <br />
|190511<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ask A Question AddOn v1.1 ==<br />
|SQLi<br />
|160511<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Global Flash Gallery ==<br />
|flash-gallery.com xss <br />
|130511<br />
|[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com_google ==<br />
|LFI [http://freejoomlacomponent.appspot.com/ com_google]<br />
|080511<br />
|[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== docman ==<br />
|com-docman Input Validation Error <br />
|160511<br />
|[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Newsletter Subscriber ==<br />
|XSS <br />
|120511<br />
|[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Akeeba ==<br />
|akkeba backup and joomlapack<br />
|170411<br />
|[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Facebook Graph Connect ==<br />
|SID. call home device with user credentials<br />
|120411<br />
|[http://www.sikkimonline.info/security-notice dev update notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== booklibrary ==<br />
|SQLi ordasoft booklibrary<br />
|180311<br />
|[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== semantic ==<br />
|com semantic http://www.scms.es/joomla creates hidden admin users <br />
|150311<br />
|<br />
|-<br />
|<br />
<br />
== JOMSOCIAL 2.0.x 2.1.x ==<br />
|SID, open folders<br />
|120311<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== flexicontent ==<br />
|forced 777, malicious files <br />
|250311<br />
|[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jLabs Google Analytics Counter ==<br />
|jLabs Google Analytics Counter SID<br />
|<br />
|<br />
|-<br />
|<br />
== xcloner ==<br />
|Unspecified<br />
|260211<br />
|[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== smartformer ==<br />
|RFI<br />
|230211 (repeat of 041110)<br />
|[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== xmap 1.2.10 ==<br />
|Malicious payload in zip<br />
|230211<br />
|[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Frontend-User-Access 3.4.1 ==<br />
|Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI<br />
|030211<br />
|update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== com properties 7134 ==<br />
| http://com-property.com/ malicious files in script<br />
|<br />
|[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== B2 Portfolio ==<br />
|B2 portfolio 1.0 SQLi pulseextensions.com<br />
|250111<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== allcinevid ==<br />
|SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367<br />
|220111<br />
|[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice]<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== People Component ==<br />
|People component http://www.ptt-solution.com/vmchk/people-component.html sqli<br />
|150111<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jimtawl ==<br />
|Jimtawl LFI <br />
|251110<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Maian Media SILVER ==<br />
|Maian Media SQLi<br />
|151110<br />
|Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== alfurqan ==<br />
|alfurqan 1.5 sqli<br />
|151110<br />
|developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ccboard ==<br />
|[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi]<br />
|131110<br />
| on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ProDesk v 1.5 ==<br />
|LFI <br />
|091110<br />
|<br />
<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== sponsorwall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
|developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Flip wall ==<br />
|SQL injection pulseextensions.com<br />
|011110<br />
| developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Freestyle FAQ 1.5.6 ==<br />
|http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection<br />
|<br />
|[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues.<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iJoomla Magazine 3.0.1 ==<br />
|iJoomla Magazine 3.0.1 RFI<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Clantools ==<br />
| <br />
|http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli<br />
|090910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jphone ==<br />
|jphone LFI<br />
|090910<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== PicSell ==<br />
|[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777]<br />
|020910<br />
|new version [http://vm.xmlswf.com/picsell released 150312] version number 11<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Zoom Portfolio ==<br />
|SID<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== zina ==<br />
|[http://www.pancake.org/zina/ SQL Injection]<br />
|020910<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Team's ==<br />
|[http://www.joomlamo.com Teams extension] SQL Injection <br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Amblog ==<br />
|[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi<br />
|120810<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== wmtpic ==<br />
|www.webmaster-tips.net various<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jomtube ==<br />
|http://www.jomtube.com/ SID<br />
|220710<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Rapid Recipe ==<br />
|http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 <br />
|july 10,2010<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Health & Fitness Stats ==<br />
|http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 <br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
<br />
== staticxt ==<br />
|http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided<br />
|<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== quickfaq ==<br />
|http://www.schlu.net sqli<br />
|090710<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Minify4Joomla ==<br />
|http://waltercedric.com/ LFI and xss<br />
|090710<br />
|No longer available to download<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== IXXO Cart ==<br />
|http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability<br />
|<br />
|developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== PaymentsPlus ==<br />
|http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability<br />
|090710 <br />
|current version 2.20, 2.1.5 not listed on dev site<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ArtForms ==<br />
|http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities<br />
|090710<br />
| Old beta extension <br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== autartimonial ==<br />
|autartica.be Sqli Vulnerability<br />
|060710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== eventcal 1.6.4 ==<br />
|http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode<br />
|040710<br />
|<br />
<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== date converter ==<br />
|http://sourceforge.net/projects/date-converter/ sqli<br />
|010710<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== real estate ==<br />
|http://www.opensourcetechnologies.com/demos/real-estate.html RFI<br />
|210610<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== cinema ==<br />
|SQL injection<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Jreservation ==<br />
|http://jforjoomla.com/ SQLi Vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== joomdocs ==<br />
|http://joomclan.com/index.php/JoomDocs/ xss vulnerability<br />
|190610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Live Chat ==<br />
|http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Turtushout 0.11 ==<br />
| http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again)<br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== BF Survey Pro Free ==<br />
|BF Survey Pro Free SQL Injection Exploit <br />
|190610<br />
|Product marker as retired by the developer<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MisterEstate ==<br />
|http://www.misterestate.com/ Blind SQL Injection Exploit <br />
|190610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== RSMonials ==<br />
|http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit<br />
|190610<br />
|Believed to be 1.5.1 version<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Answers v2.3beta ==<br />
|Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery XML 1.1 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JFaq 1.2 ==<br />
|JFaq 1.2 Multiple Vulnerabilities<br />
|180610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Listbingo 1.3 ==<br />
|Multiple Vulnerabilities<br />
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Alpha User Points ==<br />
|www.alphaplug.com LFI<br />
|180610<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== recruitmentmanager ==<br />
|http://recruitment.focusdev.co.uk Upload Vulnerability<br />
|130610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Info Line (MT_ILine) ==<br />
|http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file<br />
|120610<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ads manager Annonce ==<br />
|http://joomla.clubnautiquemarine.fr/ <br />
Upload Vulnerability<br />
| 05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== lead article ==<br />
|http://www.leadya.co.il/ SQLi<br />
|050610<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== djartgallery ==<br />
|http://www.design-joomla.eu Multiple Vul<br />
|05/06/10<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Gallery 2 Bridge ==<br />
|[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jsjobs ==<br />
|[http://www.joomsky.com jsjobs] SQL Injection Vulnerability<br />
|<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Poll ==<br />
|http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== MediQnA ==<br />
|MediQnA LFI vulnerability version : v1.1<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Job ==<br />
|http://joomlaextensions.co.in/ LFI SQLi<br />
|<br />
|<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SectionEx ==<br />
|Stack Ideas section Ex LFI<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ActiveHelper LiveHelp ==<br />
|XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] <br />
|200510<br />
|<br />
<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== JE Quotation Form ==<br />
|http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI<br />
|<br />
|developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== konsultasi ==<br />
|SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Seber Cart ==<br />
|Local File Disclosure Vulnerability<br />
|<br />
|[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510]<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Camp26 Visitor ==<br />
|RFI www.camp26.biz<br />
|<br />
|<br />
<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JE Property ==<br />
|JE Property Finder Upload Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Noticeboard ==<br />
|Noticeboard for Joomla "controller" Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
==SmartSite ==<br />
|SmartSite com_smartsite Local File Inclusion Vulnerability <br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== htmlcoderhelper graphics ==<br />
|htmlcoderhelper graphics v1.0.6 LFI Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Ultimate Portfolio ==<br />
|Ultimate Portfolio Local File Inclusion Vulnerability<br />
|<br />
|<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Archery Scores ==<br />
| [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability]<br />
<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ZiMB Manager ==<br />
|Joomla Component ZiMB Manager Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Matamko ==<br />
|Matamko Local File Inclusion Vulnerability<br />
|210410<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Root ==<br />
|Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Multiple Map ==<br />
|Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Contact Us Draw Root Map ==<br />
|Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== iF surfALERT ==<br />
|[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== GBU FACEBOOK ==<br />
|GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== jnewspaper ==<br />
|jnewspaper (cid) SQL Injection Vulnerability<br />
|<br />
|<br />
<br />
<br />
<br />
<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white" |<br />
== MT Fire Eagle ==<br />
<br />
|LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com<br />
| 190410<br />
| product considered retired and to be replaced by dev<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Sweetykeeper ==<br />
|Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== jvehicles ==<br />
|SQL Injection http://jvehicles.com<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== worldrates ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== cvmaker ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== advertising ==<br />
|http://dev.pucit.edu.pk/<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== horoscope ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== webtv ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== diary ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Memory Book ==<br />
|http://dev.pucit.edu.pk/<br />
|120410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== JprojectMan ==<br />
|LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676<br />
|110410<br />
|<br />
<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== econtentsite ==<br />
|LFI<br />
|040410<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== Jvehicles ==<br />
|ID<br />
|040410<br />
|<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== gigcalender ==<br />
<br />
|SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender]<br />
|13 march 2010<br />
|<br />
|-<br />
|style="background:red; color:white"|<br />
<br />
== heza content ==<br />
|SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content]<br />
|13 march 2010<br />
|<br />
<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== SqlReport ==<br />
|Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer.<br />
|Feb 20<br />
|'''Not Known'''<br />
<br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== Yelp ==<br />
| SQLi - Unable to locate developer. Possibly a custom extension.<br />
|Feb 01 <br />
|style="background:red; color:white" | ''' Not Known'''<br />
|-<br />
<br />
|-<br />
|<br />
<br />
== ==<br />
|<br />
|<br />
|<br />
|}<endFeed /><br />
<br />
''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD]<br />
''<br />
<br />
== Codes used ==<br />
SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia]<br />
<br />
LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd]<br />
<br />
RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia]<br />
<br />
DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders)<br />
<br />
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge<br />
<br />
== Future Actions & WIP ==<br />
<br />
[http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions RSS feed] completed<br />
<br />
<br />
to feed VEL direct to twitter<br />
<br />
== Notes ==<br />
The RSS feed is currently fed by item entry order and not by date fixed. <br />
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville]<br />
<br />
----<br />
[[Category:Security]]<br />
[[Category:Component Management]]</div>
Mandville
http://docs.joomla.org/Vulnerable_Extensions_List
Vulnerable Extensions List
2013-01-14T00:08:48Z
<p>Mandville: </p>
<hr />
<div><!-- ***all wiki editors*** - do NOT touch without notice --><br />
'''List prior to Jnuary 2011 ([[Archived vel|now archived]])''' Please check here also. <br />
<!-- if you have altered the above line then revert your changes and contact me --><br />
Please also check the [[Investigation of exploits|Extension Investigation List]].<br />
<br />
== Check and Report. ==<br />
'''Please check with the extension publisher in case of any questions over the security of their product.'''<br />
Report Vulnerable extensions in the [[jforum:432|security forum]] clearly marked with the first word in the title being ''Vulnerable'' where the security moderators or JSST team will respond. <br />
This list is change protected,''' for additions or updates email''' ''vel @ joomla.org'' <br />
*If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly<br />
<br />
== How to use this list ==<br />
'''Items will be removed after a suitable period and not on resolution.'''<br />
<br />
All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension".<br />
Alert Advisory details are in the center column.<br />
If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known.<br />
<br />
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.''<br />
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link]<br />
* We do not list BETA products, or extensions for J1.0.x<br />
<br />
== Developers - How to get yourself removed from the VEL ==<br />
<br />
Resolved items will be removed after a suitable period and not on resolution<br />
<br />
Please solve the issues and:<br />
<br />
* '''If JED listed''' <br />
<br />
To have your extension republished, please follow these steps:<br />
<br />
1- Solve the issues.<br />
<br />
2- Attach the new zip file at your actual JED listing.<br />
<br />
3- Change the extension version at JED listing.<br />
<br />
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.<br />
<br />
5- Email the VEL team with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website<br />
<br />
6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page<br />
<br />
VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] <br />
<br />
* '''If not JED listed.''' <br />
Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website.<br />
<br />
== January 2012 and onwards Reported Vulnerable Extensions ==<br />
<startFeed /><br />
{| class="wikitable sortable" border="1"<br />
|-<br />
! '''Extension'''<br />
! class="unsortable"| '''Details'''<br />
! '''Date Added'''<br />
! class="unsortable" |'''Extension Update Link & Date'''<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== tz guestbook ==<br />
|Various <br />
|100113<br />
|developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2]<br />
|-<br />
|<br />
<br />
== extplorer ==<br />
| 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass<br />
|251212<br />
|developer [http://extplorer.net/news/12 update to 2.1.3 statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== JooProperty ==<br />
|SQLi<br />
|101212<br />
|developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Multiple Customfields Filter for Virtuemart ==<br />
|SQLi<br />
|18212<br />
|developers [http://myext.eu/en/update/47-v1-66 update statement] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== ag google analytic ==<br />
|Various<br />
|061212<br />
|<br />
|-<br />
|<br />
<br />
== sh404sef <3.7.0 ==<br />
|Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5<br />
|26112<br />
|developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== Login Failed Log ==<br />
|23112<br />
|ID - information disclosure<br />
|developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4<br />
|-<br />
|<br />
<br />
== jNews==<br />
|<br />
|131112<br />
|developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Joombah Jobs ==<br />
|Upload restriction issues<br />
|131112<br />
|developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== commedia ==<br />
|RFI<br />
|231012<br />
|developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Kunena ==<br />
|SQLi + ID<br />
|221012<br />
|Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== Icagenda ==<br />
|SQLi<br />
|<br />
|Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] <br />
|-<br />
|style="background:red; color:white" |<br />
<br />
== JTag [joomlatag] ==<br />
|SQLi<br />
|<br />
|<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
== Freestyle Support ==<br />
|SQLi<br />
|<br />
|developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ACEFTP ==<br />
|DT <br />
|011012<br />
|AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012<br />
|-<br />
|<br />
<br />
== MijoFTP ==<br />
|DT <br />
|011012<br />
|*''reported fixed prior to notification''*<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== spider calendar lite ==<br />
|RFI <br />
|180912<br />
|developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version]<br />
|-<br />
|<br />
<br />
== RokModule ==<br />
|SQLi<br />
|Rereported 180912<br />
|Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4]<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== ICagenda ==<br />
| SQLi<br />
|developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1<br />
|080912<br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
<br />
== En Masse cart ==<br />
|RFI<br />
|060812<br />
|Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3]<br />
|-<br />
|<br />
<br />
== JCE (joomla content editor) ==<br />
|Upload Restriction <2.2.4 <br />
|050812<br />
|Developer states current version not exploitable <br />
|-<br />
|<br />
<br />
== RSGallery2 ==<br />
|SQLi XSS<br />
| 31 07 12<br />
|Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] <br />
|-<br />
|style="background:#cef2e0; color:black" |<br />
<br />
== osproperty ==<br />
|Unrestricted uploads<br />
|160712<br />
|Developer release [http://joomservices.com/components/osso