Vulnerable Extensions List
From Joomla! Documentation
Revision as of 09:27, 18 October 2010 by Mandville (talk | contribs) (→December 2009 Compiled Reports)
This page has been archived. This page contains information for an unsupported Joomla! version or is no longer relevant. It exists only as a historical reference, it will not be improved and its content may be incomplete and/or contain broken links.
List prior to December 09 [now archived]
Please also check the Extension Investigation List
Check and Report.[edit]
Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic or the extensions topic clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for additions or updates email vel @ joomla.org Mandville or lafrance are the main editors
- If you are seeing this page on any site other than the Offical Joomla Documentation you may be seeing an out of date version or experiencing plagiary and the links may not work properly
How to use this list[edit]
Items will be removed after a suitable period and not on resolution All known vulnerable extensions are the listed in the first column. Any in a red box are high where we have not been given a fix for. Alert Advisory details in the centre column . The link to the advisory notice. Finally a link to the notice about any update with link or Not Known where none is known.
This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link
- We do not list BETA products
Developers - How to get yourself removed from the VEL[edit]
Resolved items will be removed after a suitable period and not on resolution
Please solve the issues and:
- If JED listed
Attach the new zip file at your actual JED listing.
Change the extension version at JED listing.
Contact the JED by mail back with a notice and ask them republish your listing.
- If not JED listed.
Inform us by email of the link to your resolution notice on your website.
November 2009 Compiled Vulnerability Reports.[edit]
Items are not in any particular order.
Extension | Details | Reference Link | Extension Update Link |
---|---|---|---|
com_djcatalog | Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009 CVSS Severity: 6.8 (MEDIUM) |
CVE-2009-3661 | Not Known |
com_soundset | Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3644 | Not Known |
com_sportfusion | Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3491 | Not Known |
com_icrmbasic | Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3481 | Not Known |
com_mytube | Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3446 | Not Known |
com_facebook | Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3438 | JED entry. Download site Developer states reports not proven 24/07/10 |
com_tupinambis | Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3434 | Not Known |
com_hbssearch | Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009 CVSS Severity: 4.3 (MEDIUM) |
CVE-2009-3368 | Not Known |
com_hbssearch | Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
Published: 09/24/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3357 | Not Known |
TurtuShout | Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3335 | Not Known |
com_jinc | Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3334 | Not Known |
com_surveymanager | Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3325 | Not Known |
com_album | Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
Published: 09/23/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3318 | Not Known |
IXXO Cart Standalone | Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3215 | Not Known |
com_digifolio | Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3193 | Not Known |
com_aclassf | Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009 CVSS Severity: 4.3 (MEDIUM) |
CVE-2009-3155 | Not Known |
com_jabode | Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2008-7169 | Not Known |
com_gameserver | Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3063 | Not Known |
com_artportal | Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3054 | Not Known |
com_simpleshop | Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2008-7033 | Not Known |
com_groups | Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-2789 | Not Known |
com_livechat | Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2008-6883 | Not Known |
com_livechat | Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2008-6882 | Not Known |
com_livechat | Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.
Published: 07/30/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2008-6881 | Not Known |
com_jshop | Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009 CVSS Severity: 7.5 (HIGH) |
CVE-2009-3835 | Not Known |
EasyBook 2.0.0rc4 | Summary: The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009 | Alert | |
F!BB 1.5.96 | Summary: The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009 | Alert | Not Known |
Testimonial Ku 2.0 Admin Panel | Summary: The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009 | Alert | Not Known |
MS Comment 0.8.0b | Summary MS Comment 0.8.0b for Joomla, a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009 | Alert | Not Known |
WebAmoeba Ticket System 3.0.0 | Summary: WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009 | Alert | Not Known |
com_siirler | Summary: SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009 | CVE-2009-3972 | Not Known |
jTips (com_jtips) | SUmmary:SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009 | CVE-2009-3971 | Not Known |
JoomClip | Summary: The JoomClip component for Joomla! is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 | secunia.com 37400/ | Not Known |
Mygallery Remote SQL Injection Vulnerability | Summary: Joomla Component mygallery ( farbinform_krell) Remote SQL Injection Vulnerability Added 27 Nov 2009 NB: This could be an error in our database as the only one we could find was for wordpress.If anyone know of one for joomla please let us know..(poss joomlicious.com CM) | [1] | Not Known |
Extreme Google Calendar | Summary: com_gcalendar 1.1.2 (gcid) Remote SQL Injection Vulnerability
Remote SQL Injection were identified in Google Calendar Component Extension Link Added 27 Nov 2009 |
reference | Not Known |
LyftenBloggie | Summary: LyftenBloggie Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009 | SA37499 | Un official fix. Developer fix not release at 30 Nov 09 1.0.4a (last update on Dec 28, 2009) |
December 2009 Compiled Reports[edit]
Extension | Details | Reference Link | Extension Update Link |
---|---|---|---|
Omilen Photo Gallery | Summary: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
Published: 12/04/2009 |
CVE-2009-4202 | Not Known |
Seminar | Summary: SQL injection vulnerability in the Seminar (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.
Published: 12/04/2009 |
CVE-2009-4200 | released V1.29, released |
ProofReader | Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM) | CVE-2009-4157 | Not Known |
D4J eZine | Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) | CVE-2009-4094 | Not Known |
Quick News | Summary: The Joomla Quick News component suffers from a remote SQL injection vulnerability. added 1st Dec 09 | Reference | Not Known |
mojoblog | Summary MojoBlog Multiple Remote File Include Vulnerability added 1st Dec 09 | 7509 | Not Known |
TP Whois | summary: TP Whois Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Added 3 december | Refrence | Not Known |
com_job | Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec | Reference | Not Known |
Mamboleto Component 2.0 RC3 | Summary: Mamboleto Component 2.0 RC3SQL injection vulnerability added 12 December | Reference | Not Known |
Kide Shoutbox | Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08 | CVE-2009-4232 | Not Known |
JoomPortfolio Component | Summary: JoomPortfolio Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18 | Reporting Site | Not Known |
City Portal (templates?) | Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18 | Reference Possibly this tempate | Not Known |
Event Manager | Summary: Event Manager Blind SQL Injection Vulnerability EDB-ID: 10549
added: 2009-12-18 |
Reference | Not Known |
com_zcalendar | Summary: com_zcalendar Blind SQL-injection Vulnerability
EDB-ID: 10548 added: 2009-12-18 |
Reference | Not Known |
com_acmisc | Summary: com_acmisc SQL injection added: 2009-12-18 | Reference | Not Known |
com_jbook | Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18 | Reference | Not Known |
com_personel | Summary: com_personel component for Joomla! is vulnerable to SQL injection. | iss.net reference | Not Known |
HotBrackets Tournament Brackets | Summary: The HotBrackets Tournament Brackets component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. added 22 dec | Reference | Not Known |
Car Manager | Summary: http://webformatique.com/ com_carman Cross Site Scripting Vulnerability added 24 december 09 | Reference | Not Known |
Schools component | Summary: The 'com_schools' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. | Reference added 24 dec 09 | Not Known |
webcamxp | com_webcamxp Cross Site Scripting Vulnerabilities Last version 2008 Dec 27 | Reference | Not Known |
jm-recommend | jm-recommendCross Site Scripting Vulnerabilities. unable to locate on jed. Dec 27 | Reference | Not Known |
facileforms | com_facileforms Cross Site Scripting Vulnerabilities. unable to locate on jed. Product considered retired. Dec 27 | Reference | Not Known |
adagency | adagency Vulnerabilities Dec 27 | Reference | Not Known |
com_intuit | com_intuitLocal File Inclusion Vulnerability Dec. 27 | Reference | Retired |
MemoryBook | MemoryBook 1.2 Multiple Vulnerabilities. requires: magic quotes OFF, user account Dec. 27 | Reference | Not Known |
qpersonel | qpersonel Cross Site Scripting Vulnerabilities File:Http://extensions.joomla.org/images/jed/compat 15 legacy.png Dec. 27 | Reference | Not Known |
opryknings point | com_oprykningspoint_mc Cross Site Scripting Vulnerabilities Dec. 27 | Reference | Not Known |
trabalhe conosco | com_trabalhe_conosco Cross Site Scripting Vulnerabilities Dec. 27 | Reference | Not Known |
DhForum | com_dhforum SQL Injection Vulnerability. considered retired/EOL Dec. 27 1.5 legacy | Reference | Not Known |
January 2010 Reported Vulnerable Extensions[edit]
Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic or the extensions topic clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for updates or editing requests Mandville or lafrance
Extension | Details | Reference Link | Extension Update Link | |
---|---|---|---|---|
JvideoDirect | Summary: Jvideodirect SQLi Jan 29 | Update version 2.5 | ||
JEvent search plugin | Summary: JEvent search plugin for JEvent SQLi reported Jan 29 | upgrade to 1.5.3b | ||
Kunena | Summary: kunena re reported suffering SQLi in version 1.5.9 Jan 29 Confirmation Required Now found to be malicious | Versions 1.5.5 and below only | ||
JE Quiz | Summary : http://extensions.joomla.org/extensions/contacts-and-feedback/quiz-a-surveys/11212 JeQuiz SQLi reported 29 Jan | Not Known | ||
idoblog | summary: exploitable due to open file permissions. 28 Jan | Private Notification | build 35 released | |
ccnewsletter | Summary ccnewsletter Directory Traversal Vulnerability Jan 28 | Private Notification | version 1.0.6 released 29 Jan | |
Virtuemart 1.1.4 | Summary: virtuemart Input var order_status_id is vulnerable to SQLi NB Requires Higher Level access before exploiting. Jan 27 | developer patches | ||
JBDiary | Summary: JBDiary BLIND SQL Injection Vulnerabilities Jan 24 http://www.jb-soft.nl/ | Developer Update 27 Jan | ||
JbPublishDownFp | Sumary: JbPublishDownFp SQL Injection Vulnerability Jan 24 http://www.jb-soft.nl | Developer Update Jan 27 | ||
com_casino | Summary: com_casino
SQL Injection Vulnerabilities Jan24 |
Not Known | ||
Mochigames | Summary: com_Mochigames
SQL Injection Vulnerabilities Jan24 |
mochigames_alpha052 Released | ||
ContentBlogList | Summary: com_ContentBlogList SQL Injection Vulnerability Jan 23 | Reference | Not Known | |
MailChimp for Joomla 1.5 | Summary: MailChimp for Joomla 1.5 jan 17 | Developer Statement | Not Known | |
JoomlaXML | Summary: JoomlaXML malicious code insertion | Not Known | ||
JVClouds3D SWF module | JVClouds3D SWF module Cross Site Scripting . jan 14 | xforce | Not Known | |
JVClouds3D | JVClouds3D module Cross Site Scripting . jan 14 | xforce | Not Known | |
JA Showcase | JA Showcase component Directory Traversal jan 14 | xforce | Not Known | |
jprojects | Summary: Unknown Author com_j-projects Blind SQL Injection Vulnerability. Jan 10 detail update | Reference | Not Known | |
jEmbed-Embed Anything | jEmbed-Embed Anything A vulnerability has been discovered in the jEmbed-Embed Anything component for Joomla, which can be exploited by malicious people to conduct SQL injection attacks. Jan 10 | Secunia Advisory: SA38112 | Product considered retired | |
perchagallery | Summary: perchagallery com_perchagallery SQL Injection Vulnerability Jan 7 | Reference | Developer Update 1.5b | |
CARTwebERP | Summary: CARTwebERP Local File Inclusion Vulnerability Jan. 3 | Reference | 1.56.76 (last update on Jan 11, 2010) | |
JoomlaBibleStudy | Summary: JoomlaBibleStudy LFI Vulnerability Jan. 3 | Reference | Developer reported update | |
com_bfsurvey_basic and pro | Summary: BFsurvey SQL Injection Vulnerability ,LFI Vulnerability Jan. 3 | Reference | Developer Update announcement | |
Alfresco | Summary: SQL Injection Vulnerability. Not believed to be Joomlatools extension Jan. 3 | Reference | Not Known | |
abbrev | Summary: abbrev Local File Inclusion Vulnerability Jan. 3 | Reference | Not Known | |
countries | Summary: countries SQL Injection Vulnerability Jan. 3 | Reference | Not Known | |
Dedicated Component com_tpjobs | Summary: tpjobs SQL Injection Vulnerability unable to locate files probably template plaza Jan. 3 | Reference | Developer Update | |
Component com_doqment | SQL Injection Vulnerability Jan. 3 | Reference | Not Known | |
Component com_otzivi | Blind SQL Injection Vulnerability Jan. 3 | Reference | Not Known | |
aprice | Summary: com_aprice Component 'analog' Parameter SQL Injection Vulnerability | Report | Not Known | |
cartikads | Summary: com_cartikads Remote File Upload Vulnerability
Mambo Open Source ads management component |
Reference | Not Known | |
Docman seller | Summary: Document seller Input passed via the "id" parameter to index.php (when "option" is set to "com_dm_orders", "task" is set to "order_form", and "payment_method" is set to "Paypal") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. | secunia | Updated 10th Jan | |
ozio gallery | summary: Ozio Gallery2 SQLi eploit | Reference | developer update Jan 11 | |
RD-Autos Free | RD-Autos Free This version is now commercial not free | Private advisory to JED Jan 11 | Product Retired and replaced | |
DailyMeals | Summary: dailymeals Local File Inclusion Vulnerability Jan 02 | Reference | Not Known | |
RD-Autos Pro | RD Autos Pro | Private advisory to JED Jan 11 | Upgrade to Latest version be 2.0.2 | |
New format Feed Starts Here[edit]
Please do not change your feed url, only the feed format has changed.
February 2010 and onwards Reported Vulnerable Extensions[edit]
<startFeed />
Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond. For a guide to the codes
Extension | Details | Date Added | Extension Update Link & Date | |
---|---|---|---|---|
K2 joomlaworks[edit] |
http://getk2.org/ k2 xss | version 2.4.1 | ||
Mosets Tree 2.1.5[edit] |
Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI | |||
Freestyle FAQ 1.5.6[edit] |
http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection | |||
JE FAQ Pro[edit] |
Je faq pro various reports | 090910 | Developer update notice | |
iJoomla Magazine 3.0.1[edit] |
iJoomla Magazine 3.0.1 RFI | 090910 | ||
Clantools[edit] |
http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli | 090910 | ||
jphone[edit] |
jphone LFI | 090910 | ||
Gantry Framework[edit] |
SQli injection | 050910 | Update to 3.0.11 | |
PicSell[edit] |
LFD, 777 | 020910 | ||
JE FAQ Pro[edit] |
SID | 020910 | Developer update notice | |
Zoom Portfolio[edit] |
SID | 020910 | ||
zina[edit] |
SQL Injection | 020910 | ||
Team's[edit] |
Teams extension SQL Injection | 120810 | ||
Amblog[edit] |
Amblog SQLi | 120810 | ||
[edit] |
||||
Graffiti Wall[edit] |
Graffiti Wall for jomsocial silent 777 | 310710 | Dev statement 1.1 - is security release. Folder permission was set by default as 777 that is unsecure. | |
Spielothek[edit] |
http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation | 290710 | Dev states version 1.7.1 resolves issues 020810 | |
Aardvertiser[edit] |
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777 | 290710 | dev announces silent 0777 fixed in Version 2.1 290710 | |
FW Real Estate Light[edit] |
http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777 | 290710 | version 1.1 reported as fixed 777 issue | |
[edit] |
||||
jDownloads[edit] |
http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting | 2807110 | 1.7.4 RC3 Build 771 update on Jul 29 to remove 0777 | |
TTVideo[edit] |
TTVideo 1.0 Joomla SQL Injection Vulnerability | 270710 | dev updated the component to prevent this. 280710
Users are no longer able to download the previous version. | |
frei-chat2.0[edit] |
http://code.google.com/p/frei-chat/downloads/list xss vulnerability | 230710 | Dev announcement to fix 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710 | |
QContacts[edit] |
http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 Version: 1.0.4 reported, current version 1.0.6 | 220710 | ||
Jomtube[edit] |
http://www.jomtube.com/ SID | 220710 | ||
mysms[edit] |
http://www.willcodejoomlaforfood.de/ Upload Vulnerability | july 10,2010 | 290710 released the version 1.5.12. | |
Rapid Recipe[edit] |
http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 | july 10,2010 | ||
Health & Fitness Stats[edit] |
http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 | |||
staticxt[edit] |
http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided | |||
EasyBlog[edit] |
http://stackideas.com/products/easyblog.html xss (new report) july 10,2010 | |||
redshop light[edit] |
http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli | 110710 | Developer reported fix and upgrade to RC2 | |
quickfaq[edit] |
http://www.schlu.net sqli | 090710 | ||
Minify4Joomla[edit] |
http://waltercedric.com/ LFI and xss | 090710 | No longer available to download | |
IXXO Cart[edit] |
http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability | |||
Music Manager[edit] |
LFI | http://danieljamesscott.org/software/4-joomla-extensions/4-music-manager.html | ||
PaymentsPlus[edit] |
http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability | 090710 | current version 2.20, 2.1.5 not listed on dev site | |
ArtForms[edit] |
http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities | 090710 | Old beta extension | |
NeoRecruit[edit] |
neojoomla.com SQL Injection | neorecruit vers 1.4 060710 | dev statement of fix in 1.4.1 and safe 2.0.5 | |
autartimonial[edit] |
autartica.be Sqli Vulnerability | 060710 | ||
Jobs Pro[edit] |
instantphp.com/ Sqli | 060710 | devs announcement of fix 130710 | |
JPodium[edit] |
http://www.jpodium.de/ SQL Injection | 060710 | Devs statement as to not proven | |
Front-End Article Manager System[edit] |
http://b-elektro.no/ Upload Vulnerability | 040710 | ||
addressbook[edit] |
http://b-elektro.no/ Upload Vulnerability | 040710 | ||
NijnaMonials[edit] |
http://ninjaforge.com/ Sqli Vulnerability | 040710 | 070410 Discovered to be malicious/false report see devs notice | |
Phoca Gallery[edit] |
SQL I wrong download location in report | 040710 | ||
socialads[edit] |
techjoomla.com/ Xss Vulnerability | 040710 | Developers resolved statement | |
eventcal 1.6.4[edit] |
http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode | 040710 | ||
myblog controller[edit] |
LFI | 010710 | MyBlog 3.0.332 | |
joomanager[edit] |
SQli Vulnerability | 010710 | ||
gamesbox[edit] |
SQL Injection Vulnerability
http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox |
010710 | upgrade to 1.0.10 | |
wmtpic[edit] |
www.webmaster-tips.net various | 010710 | ||
date converter[edit] |
http://sourceforge.net/projects/date-converter/ sqli | 010710 | ||
Remository[edit] |
http://remository.com/ LFI (proc) | 010710 | Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710 | |
RokBridge 1.0rc12[edit] |
http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI | 090810 | RokBridge has been updated to version 1.0rc13. 120810 | |
real estate[edit] |
http://www.opensourcetechnologies.com/demos/real-estate.html RFI | 210610 | ||
jomsocial[edit] |
Version: 1.6.288 Multiple XSS | 210610 | 1.6.291 released 220610 | |
DOCman[edit] |
DOCman 1.5.7 DOCman 1.4.0 none specific exploit | 210610 | developer announcement | |
eportfolio[edit] |
http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability | 200610 | Developer announcement 270810 | |
cinema[edit] |
SQL injection | 190610 | ||
Jreservation[edit] |
http://jforjoomla.com/ SQLi Vulnerability | 190610 | ||
Super Messenger[edit] |
axxis.gr xss | 190610 | ||
joomdocs[edit] |
http://joomclan.com/index.php/JoomDocs/ xss vulnerability | 190610 | ||
RSComments 1.0.0[edit] |
Persistent XSS NOTE: ONLY executes in backend! | 190610 | Developer update announcement 210610 | |
Live Chat[edit] |
http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities | 190610 | ||
Turtushout 0.11[edit] |
http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) | 190610 | ||
BF Survey Pro Free[edit] |
BF Survey Pro Free SQL Injection Exploit | 190610 | ||
MisterEstate[edit] |
http://www.misterestate.com/ Blind SQL Injection Exploit | 190610 | ||
RSMonials[edit] |
http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit | 190610 | Believed to be 1.5.1 version | |
RSComments 1.0.0[edit] |
RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted) | 180610 | Developer update announcement 210610 | |
Answers v2.3beta[edit] |
Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 | 180610 | ||
Gallery XML 1.1[edit] |
Multiple Vulnerabilities
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504 |
180610 | ||
JFaq 1.2[edit] |
JFaq 1.2 Multiple Vulnerabilities | 180610 | ||
Listbingo 1.3[edit] |
Multiple Vulnerabilities
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062 |
180610 | ||
PowerMail Pro[edit] |
PowerMail Pro Local File Inclusion Vulnerability | Dev upadte statement 151010 | ||
Alpha User Points[edit] |
www.alphaplug.com LFI | 180610 | ||
Magic Updater[edit] |
http://software.realtyna.com/ RFI | 170610 | ||
recruitmentmanager[edit] |
http://recruitment.focusdev.co.uk Upload Vulnerability | 130610 | ||
Info Line (MT_ILine)[edit] |
http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file | 120610 | ||
Search Log[edit] |
http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi | 080610 | Developer cited update to version 3.1.1 100710 | |
iJoobi[edit] |
Numerous reports under investigation, please contact [www.ijoobi.com]for more information.jtickets, jsubscription SQL Injection Vulnerability,
jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection, |
090610 | ||
Ads manager Annonce[edit] |
http://joomla.clubnautiquemarine.fr/
Upload Vulnerability |
05/06/10 | ||
lead article[edit] |
http://www.leadya.co.il/ SQLi | 050610 | ||
djartgallery[edit] |
http://www.design-joomla.eu Multiple Vul | 05/06/10 | ||
Gallery 2 Bridge[edit] |
g2bridge LFI vulnerability | |||
jsjobs[edit] |
jsjobs SQL Injection Vulnerability | |||
[edit] |
||||
JE Poll[edit] |
http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability | |||
MyCar[edit] |
http://www.unisoft.me/extensions/ sqli ID | Dev announcement update to 1.1 | ||
MediQnA[edit] |
MediQnA LFI vulnerability version : v1.1 | |||
JE Job[edit] |
http://joomlaextensions.co.in/ LFI SQLi | |||
BF Quiz[edit] |
SQL Injection Exploit Version(s) = 1.3.0 | Developer update to BF Quiz v1.3.1 | ||
[edit] |
||||
Ozio Gallery 2[edit] |
DT and open email relay | 280510 | Developer update and security release 010610 | |
SectionEx[edit] |
Stack Ideas section Ex LFI | |||
ActiveHelper LiveHelp[edit] |
XSS in LiveHelp | 200510 | ||
RS Comments[edit] |
XSS Vulnerability | - fix posted 210510 | ||
BCA RSS Feed[edit] |
LFI and other vulnerabilities | Since changed its name to NinjaRss | ||
SimpleDownload[edit] |
http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits | 160510 | updated version (version 0.9.6) | |
JE Quotation Form[edit] |
http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI | |||
konsultasi[edit] |
SQL Injection Vulnerability | |||
Aardvertiser[edit] |
Local File Inclusion Vulnerability
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 |
see resolved notice 040810 | ||
Seber Cart[edit] |
Local File Disclosure Vulnerability | Developer Update 140510 | ||
FDione Form Wizard[edit] |
lfi vulnerability | 140510 200510 | Update to Dione Form Wizard (v. 1.0.4). | |
Custom PHP Pages[edit] |
http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability | Developer declares not vulnerable 140510 | ||
Camp26 Visitor[edit] |
RFI www.camp26.biz | |||
iJoomla News Portal[edit] |
RFI SID | Update to 1.5.10 | ||
article Factory Manager[edit] |
RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html | may 2010 | can not reproduce and unproven, http://www.thefactory.ro | |
Table JX Component[edit] |
http://www.toolsjx.com/ Table JX Component XSS | 060510 - update 130510 | Version: 1.5.5 considered unsafe, update to 1.5.7 | |
JE Property[edit] |
JE Property Finder Upload Vulnerability | |||
Noticeboard[edit] |
Noticeboard for Joomla "controller" Local File Inclusion Vulnerability | |||
SmartSite[edit] |
SmartSite com_smartsite Local File Inclusion Vulnerability | |||
ABC[edit] |
ABC SQL Injection Vulnerability | reported as updated to JED 290410 | ||
htmlcoderhelper graphics[edit] |
htmlcoderhelper graphics v1.0.6 LFI Vulnerability | |||
Ultimate Portfolio[edit] |
Ultimate Portfolio Local File Inclusion Vulnerability | |||
huruhelpdesk[edit] |
http://www.huruhelpdesk.net sqli injection | Reported fix | ||
Archery Scores[edit] |
Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability | 210410 | ||
ZiMB Manager[edit] |
Joomla Component ZiMB Manager Local File Inclusion Vulnerability | 210410 | ||
Matamko[edit] |
Matamko Local File Inclusion Vulnerability | 210410 | ||
Multiple Root[edit] |
Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/ | |||
Multiple Map[edit] |
Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |||
Contact Us Draw Root Map[edit] |
Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |||
iF surfALERT[edit] |
iF surfALERT Local File Inclusion Vulnerability | |||
GBU FACEBOOK[edit] |
GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/ | |||
jnewspaper[edit] |
jnewspaper (cid) SQL Injection Vulnerability | |||
JTM Reseller[edit] |
TM Reseller SQL injection vulnerability | Developer Update | ||
media Mall Factory[edit] |
SQLi | 200410 | Solution: update to 1.0.5 | |
Gadget Factory[edit] |
LFi | 200410 | Solution: update to 1.5.1 | |
Deluxe Blog Factory[edit] |
SQLi | 200410 | update to 1.1.2 | |
[edit] |
||||
MT Fire Eagle[edit] |
LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com | 190410 | product considered retired and to be replaced by dev | |
com properties[edit] |
http://com-property.com/ SQL I | developer announced fix | ||
Sweetykeeper[edit] |
Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ | 120410 | ||
jvehicles[edit] |
SQL Injection http://jvehicles.com | 120410 | ||
worldrates[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
cvmaker[edit] |
http://dev.pucit.edu.pk/ | |||
advertising[edit] |
http://dev.pucit.edu.pk/ | |||
horoscope[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
webtv[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
diary[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
Multi-Venue Restaurant Menu Manager (MVRMM)[edit] |
http://www.focusdev.co.uk/ | 120410 | Version 1.5.2 Stable Update 4 | |
Memory Book[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
TRAVELbook[edit] |
http://www.demo-page.de/ | 120410 | ||
AlphaUserPoints[edit] |
developer upgrade | |||
JprojectMan[edit] |
LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 | 110410 | ||
CKForms[edit] |
1.3.4 release - Important LFI security fix [2] | 07-04-10 | upgrade | |
econtentsite[edit] |
LFI | 040410 | ||
Jvehicles[edit] |
ID | 040410 | ||
[edit] |
||||
smestorage[edit] |
SMEStorage LFI | Updated 29 March 10 | developer fix to 1.1 | |
JE Tooltip[edit] |
JE Tooltip LFI | Updated 23 March | ||
Gift Exchange Beta[edit] |
Gift exchange SQLi | Updated 23 March | upgrade beta 1.0.1 | |
RokDownloads[edit] |
[LFI] | 15 march 2010 | upgrade to version 1.0 | |
gigcalender[edit] |
SQLi gigcalender | 13 march 2010 | ||
heza content[edit] |
SQLi heza content | 13 march 2010 | ||
juliaportfolio[edit] |
LFI juliaportfolio | 13 march 2010 | ||
Flash Magazine Deluxe[edit] |
SQL Injection Vulnerability. | Feb 25 | Developer Update Version 2.0.11 09/03/10 | |
SqlReport[edit] |
Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. | Feb 20 | Not Known | |
Scriptegrator[edit] |
Core Design Scriptegrator RFI exploit | Feb 20 | Dev Upgrade announcement | |
AllVideos 3.1[edit] |
A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]| |
17 Feb | Version 3.3 release 18th | |
RW Cards[edit] |
RW Card LFI and ID exploit Dev Site | 180210 | developer update | |
Yelp[edit] |
SQLi - Unable to locate developer. Possibly a custom extension. | Feb 01 | Not Known | |
Autartitarot[edit] |
Directory Traversal. Back end access required | Feb 05 | Please upgrade to version 1.0.4 | |
communitypolls[edit] |
LFI - community polls | Feb 17 | upgrade to version 1.5.3 | |
[edit] |
<endFeed />
This list is change protected, for updates or additions Mandville or lafrance
Codes used[edit]
SQLi - SQL injection wikipedia
LFI - Local File Inclusion scribd
RFI - Remote file inclusion wikipedia
DT - Directory Traversal wikipedia
ID = Information Disclosure: account information or sensitive information publicly viewable
Future Actions & WIP[edit]
RSS feed completed
to feed VEL direct to twitter
Notes[edit]
The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville