Actions

Archived

Vulnerable Extensions List

From Joomla! Documentation

Revision as of 04:10, 15 July 2011 by CirTap (Talk | contribs)

Replacement filing cabinet.png
This page has been archived - Please Do Not Edit or Create Pages placed in this namespace. The pages in the Archived namespace exist only as a historical reference, it will not be improved and its content may be incomplete.

Contents

Please check here also:

Please also check the Extension Investigation List.

Check and Report.

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions in the security forum clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for additions or updates email vel @ joomla.org Mandville or lafrance are the main editors

How to use this list

Items will be removed after a suitable period and not on resolution All known vulnerable extensions are the listed in the first column. Any in a red box are where we have not been given a fix for. Alert Advisory details in the centre column . Finally a link to the notice about any update with link or Not Known where none is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers - How to get yourself removed from the VEL

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page

6- Email the VEL team with a notice of resolution, the latest version number and a link to the security release statement on your website


VEL email can be found above and the JED support link is in your notice of "unpublication" and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

February 2010 and onwards Reported Vulnerable Extensions

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes


Extension Details Date Added Extension Update Link & Date

Sobi

SQLI - 130711 developer fix and update statement

fabrik

sqli 120711 Developers Update statement 2.1

xmap

sqli 1.2.11 120711 upgrade to 1.2.12

Atomic Gallery

Creates 777 folders Atomic gallery 110711

myApi

ID Contains "Call-Home" function. Sends private user information to developer. 020711 Developer states Use version 1.3.4.1

mdigg

SQL I (not listed in JED) 020711

Calc Builder

sqli + ID 180611 dev security release 0.0.2

Cool Debate

Cool Debate 1.03 LFI

Scriptegrator Plugin 1.5.5

LFI 140611 Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6

Joomnik Gallery

SQLi developer update to 0.9.1

JMS fileseller

LFI 0611 developer upgrade announcement to v1.1

sh404SEF

low-level XSS security issue 300511 Dev upgrade statement to 2.2.6

JE Story submit

LFI/RFI developer states Version 1.8

FCKeditor

File Upload Vulnerability 230511

KeyCaptcha

Private report under investigation 190511

Ask A Question AddOn v1.1

SQLi 160511

Global Flash Gallery

flash-gallery.com xss 130511 dev release 0.5.0 statement

com_google

LFI com_google 080511 devs update to 1.5.1

docman

com-docman Input Validation Error 160511 devs resolution statement, report for old version

Newsletter Subscriber

XSS 120511 Deveopler update

Akeeba

akkeba backup and joomlapack 170411 dev update to 3.2.7

Facebook Graph Connect

SID. call home device with user credentials 120411 dev update notice

booklibrary

SQLi ordasoft booklibrary 180311 developer upgrade instructions

semantic

com semantic http://www.scms.es/joomla creates hidden admin users 150311

JOMSOCIAL 2.0.x 2.1.x

SID, open folders 120311

flexicontent

forced 777, malicious files 250311 devs resolve statement, Changelog

jLabs Google Analytics Counter

jLabs Google Analytics Counter SID

xcloner

Unspecified 260211 dev announcement of security release

smartformer

RFI 230211 (repeat of 041110) v2.4.1 security fix for Joomla 1.5.x

xmap 1.2.10

Malicious payload in zip 230211 developer resolution notice Clean version available from joomlacode

Frontend-User-Access 3.4.1

Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI 030211 update to Frontend-User-Access 3.4.2

com properties 7134

http://com-property.com/ malicious files in script Dev update statement

B2 Portfolio

B2 portfolio 1.0 SQLi pulseextensions.com 250111

allcinevid

SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 220111 Developers resolution notice

People Component

People component http://www.ptt-solution.com/vmchk/people-component.html sqli 150111

J!Dump v1.1.2

LFI in J!Dump v1.1.2 and before 060111 The extension is fixed in

version 1.1.3 070111

xmovie 1.0

xmovie 1.0 LFi 010111 v1.1 is a security release.

Easy File Uploader

LFI - http://extensions.joomla.org/extensions/core-enhancements/file-management/11909 090111 Fixed MIME type tamper vulnerability http://michaelgilkes.info/joomla-plugin-easy-file-uploader 2011-01-10

akeebabackup admin tools

xss 181210 http://www.akeebabackup.com/home/item/929-security-release-admin-tools-1-1.html devs update statement

aicontactsafe

XSS for versions 2.0.13 and below 161210 dev release 2.0.14

JRadio

JRadio LFI/SID 161210 http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56 developer fix statement

JE Auto

JE Auto 1.0 SQL I 091210 developers bug fix statement

jxtended comments

xss 081210 dev notice update to 1.3.1

sh404SEF

sqlI 301110 dev post of resolution

JE Ajax Event Calendar

SQL I (relist) 251110 Dev states resolved,

Jimtawl

Jimtawl LFI 251110

mosets tree

mosets tree various 181110 dev release 2.1.8 http://forum.mosets.com/showthread.php?t=17064

Maian Media SILVER

Maian Media SQLi 151110 Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article

alfurqan

alfurqan 1.5 sqli 151110

ccboard

ccboard XSS and SQLi 131110

ProDesk v 1.5

LFI 091110

JQuarks 4 survey 1.0.0

SQLi 091110 developer statement updated to version 1.0.1 101110

RSform! 1.0.5

Multiple vulnerabilities - LFI, SQLi 061110 developer announcement of security releaseto 1.0.6 091110

ccinvoices

SQLi for ccinvoices 051110 Developer Upgrade release to ccInvoices_110RC3 061110

sponsorwall

SQL injection pulseextensions.com 011110


Flip wall

SQL injection pulseextensions.com 011110

K2 joomlaworks

http://getk2.org/ k2 xss version 2.4.1

Mosets Tree 2.1.5

Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI developer relase statement and change log

Freestyle FAQ 1.5.6

http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 ‎SQL Injection

JE FAQ Pro

Je faq pro various reports 090910 Developer update notice

iJoomla Magazine 3.0.1

iJoomla Magazine 3.0.1 RFI 090910

Clantools

http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli 090910

jphone

jphone LFI 090910

Gantry Framework

SQli injection 050910 Update to 3.0.11

PicSell

LFD, 777 020910

JE FAQ Pro

SID 020910 Developer update notice

Zoom Portfolio

SID 020910

zina

SQL Injection 020910

Team's

Teams extension SQL Injection 120810

Amblog

Amblog SQLi 120810

Graffiti Wall

Graffiti Wall for jomsocial silent 777 310710 Dev statement 1.1 - is security release. Folder permission was set by default as 777 that is unsecure.

Spielothek

http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation 290710 Dev states version 1.7.1 resolves issues 020810

Aardvertiser

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777 290710 dev announces silent 0777 fixed in Version 2.1 290710

FW Real Estate Light

http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777 290710 version 1.1 reported as fixed 777 issue

jDownloads

http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting 2807110 1.7.4 RC3 Build 771 update on Jul 29 to remove 0777

TTVideo

TTVideo 1.0 Joomla SQL Injection Vulnerability 270710 dev updated the component to prevent this. 280710

Users are no longer able to download the previous version.

frei-chat2.0

http://code.google.com/p/frei-chat/downloads/list xss vulnerability 230710 Dev announcement to fix 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710

QContacts

http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 Version: 1.0.4 reported, current version 1.0.6 220710 Devleoper states unproven report and no POC

Jomtube

http://www.jomtube.com/ SID 220710

mysms

http://www.willcodejoomlaforfood.de/ Upload Vulnerability july 10,2010 290710 released the version 1.5.12.

Rapid Recipe

http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 july 10,2010

Health & Fitness Stats

http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010


staticxt

http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided

EasyBlog

http://stackideas.com/products/easyblog.html xss (new report) july 10,2010 developer reported fix available on site

redshop light

http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli 110710 Developer reported fix and upgrade to RC2

quickfaq

http://www.schlu.net sqli 090710

Minify4Joomla

http://waltercedric.com/ LFI and xss 090710 No longer available to download

IXXO Cart

http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability

Music Manager

LFI music manager 090710 Version 0.13 released

PaymentsPlus

http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability 090710 current version 2.20, 2.1.5 not listed on dev site

ArtForms

http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities 090710 Old beta extension

NeoRecruit

neojoomla.com SQL Injection neorecruit vers 1.4 060710 dev statement of fix in 1.4.1 and safe 2.0.5

autartimonial

autartica.be Sqli Vulnerability 060710

Jobs Pro

instantphp.com/ Sqli 060710 devs announcement of fix 130710

JPodium

http://www.jpodium.de/ SQL Injection 060710 Devs statement as to not proven

Front-End Article Manager System

http://b-elektro.no/ Upload Vulnerability 040710 dev states resolved

addressbook

http://b-elektro.no/ Upload Vulnerability 040710 dev states resolved

NijnaMonials

http://ninjaforge.com/ Sqli Vulnerability 040710 070410 Discovered to be malicious/false report see devs notice

Phoca Gallery

SQL I (wrong download location in report) 040710 deemed malicious report

socialads

techjoomla.com/ Xss Vulnerability 040710 Developers resolved statement

eventcal 1.6.4

http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode 040710

myblog controller

LFI

http://www.azrul.com/

010710 MyBlog 3.0.332

joomanager

SQli Vulnerability

http://www.joomanager.com

010710 developer release statement 260311

gamesbox

SQL Injection Vulnerability

http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox

010710 upgrade to 1.0.10

wmtpic

www.webmaster-tips.net various 010710

date converter

http://sourceforge.net/projects/date-converter/ sqli 010710

Remository

http://remository.com/ LFI (proc) 010710 Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710

RokBridge 1.0rc12

http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI 090810 RokBridge has been updated to version 1.0rc13. 120810

real estate

http://www.opensourcetechnologies.com/demos/real-estate.html RFI 210610

jomsocial

Version: 1.6.288 Multiple XSS 210610 1.6.291 released 220610

DOCman

DOCman 1.5.7 DOCman 1.4.0 none specific exploit 210610 developer announcement

eportfolio

http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability 200610 Developer announcement 270810

cinema

SQL injection 190610

Jreservation

http://jforjoomla.com/ SQLi Vulnerability 190610

Super Messenger

axxis.gr xss 190610 developer release statement 1.4.6

joomdocs

http://joomclan.com/index.php/JoomDocs/ xss vulnerability 190610

RSComments 1.0.0

Persistent XSS NOTE: ONLY executes in backend! 190610 Developer update announcement 210610

Live Chat

http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities 190610

Turtushout 0.11

http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) 190610

BF Survey Pro Free

BF Survey Pro Free SQL Injection Exploit 190610

MisterEstate

http://www.misterestate.com/ Blind SQL Injection Exploit 190610

RSMonials

http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit 190610 Believed to be 1.5.1 version


RSComments 1.0.0

RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted) 180610 Developer update announcement 210610

Answers v2.3beta

Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 180610

Gallery XML 1.1

Multiple Vulnerabilities

http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504

180610

JFaq 1.2

JFaq 1.2 Multiple Vulnerabilities 180610

Listbingo 1.3

Multiple Vulnerabilities

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062

180610

PowerMail Pro

PowerMail Pro Local File Inclusion Vulnerability Dev upadte statement 151010

Alpha User Points

www.alphaplug.com LFI 180610

Magic Updater

http://software.realtyna.com/ RFI 170610 [1] developer update statement

recruitmentmanager

http://recruitment.focusdev.co.uk Upload Vulnerability 130610

Info Line (MT_ILine)

http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file 120610

Search Log

http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi 080610 Developer cited update to version 3.1.1 100710

iJoobi

jtickets, jsubscription SQL Injection Vulnerability,

jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection,

090610 developer states unproven

Ads manager Annonce

http://joomla.clubnautiquemarine.fr/

Upload Vulnerability

05/06/10

lead article

http://www.leadya.co.il/ SQLi 050610

djartgallery

http://www.design-joomla.eu Multiple Vul 05/06/10

Gallery 2 Bridge

g2bridge LFI vulnerability

jsjobs

jsjobs SQL Injection Vulnerability

JE Poll

http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability

MyCar

http://www.unisoft.me/extensions/ sqli ID Dev announcement update to 1.1

MediQnA

MediQnA LFI vulnerability version : v1.1

JE Job

http://joomlaextensions.co.in/ LFI SQLi

BF Quiz

SQL Injection Exploit Version(s) = 1.3.0 Developer update to BF Quiz v1.3.1

Ozio Gallery 2

DT and open email relay 280510 Developer update and security release 010610

SectionEx

Stack Ideas section Ex LFI

ActiveHelper LiveHelp

XSS in LiveHelp 200510

RS Comments

XSS Vulnerability - fix posted 210510

BCA RSS Feed

LFI and other vulnerabilities Upgrade to Ninja RSS Syndicator 1.0.9 or later

SimpleDownload

http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits 160510 updated version (version 0.9.6)

JE Quotation Form

http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI

konsultasi

SQL Injection Vulnerability

Aardvertiser

Local File Inclusion Vulnerability

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454

see resolved notice 040810

Seber Cart

Local File Disclosure Vulnerability Developer Update 140510

FDione Form Wizard

lfi vulnerability 140510 200510 Update to Dione Form Wizard (v. 1.0.4).

Custom PHP Pages

http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability Developer declares not vulnerable 140510

Camp26 Visitor

RFI www.camp26.biz

iJoomla News Portal

RFI SID Update to 1.5.10

article Factory Manager

RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html may 2010 can not reproduce and unproven, http://www.thefactory.ro

Table JX Component

http://www.toolsjx.com/ Table JX Component XSS 060510 - update 130510 Version: 1.5.5 considered unsafe, update to 1.5.7

JE Property

JE Property Finder Upload Vulnerability

Noticeboard

Noticeboard for Joomla "controller" Local File Inclusion Vulnerability

SmartSite

SmartSite com_smartsite Local File Inclusion Vulnerability

ABC

ABC SQL Injection Vulnerability reported as updated to JED 290410

htmlcoderhelper graphics

htmlcoderhelper graphics v1.0.6 LFI Vulnerability

Ultimate Portfolio

Ultimate Portfolio Local File Inclusion Vulnerability

huruhelpdesk

http://www.huruhelpdesk.net sqli injection Reported fix

Archery Scores

Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability 210410

ZiMB Manager

Joomla Component ZiMB Manager Local File Inclusion Vulnerability 210410

Matamko

Matamko Local File Inclusion Vulnerability 210410

Multiple Root

Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/

Multiple Map

Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

Contact Us Draw Root Map

Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

iF surfALERT

iF surfALERT Local File Inclusion Vulnerability

GBU FACEBOOK

GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/

jnewspaper

jnewspaper (cid) SQL Injection Vulnerability

JTM Reseller

TM Reseller SQL injection vulnerability Developer Update

media Mall Factory

SQLi 200410 Solution: update to 1.0.5

Gadget Factory

LFi 200410 Solution: update to 1.5.1

Deluxe Blog Factory

SQLi 200410 update to 1.1.2

MT Fire Eagle

LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com 190410 product considered retired and to be replaced by dev

com properties

http://com-property.com/ SQL I developer announced fix

Sweetykeeper

Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ 120410

jvehicles

SQL Injection http://jvehicles.com 120410

worldrates

http://dev.pucit.edu.pk/ 120410

cvmaker

http://dev.pucit.edu.pk/

advertising

http://dev.pucit.edu.pk/

horoscope

http://dev.pucit.edu.pk/ 120410

webtv

http://dev.pucit.edu.pk/ 120410

diary

http://dev.pucit.edu.pk/ 120410

Multi-Venue Restaurant Menu Manager (MVRMM)

http://www.focusdev.co.uk/ 120410 Version 1.5.2 Stable Update 4

Memory Book

http://dev.pucit.edu.pk/ 120410

TRAVELbook

http://www.demo-page.de/ 120410 developers resolution notice 1.0.2

AlphaUserPoints

developer upgrade

JprojectMan

LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 110410

CKForms

1.3.4 release - Important LFI security fix [2] 07-04-10 upgrade

econtentsite

LFI 040410

Jvehicles

ID 040410

smestorage

SMEStorage LFI Updated 29 March 10 developer fix to 1.1

JE Tooltip

JE Tooltip LFI Updated 23 March

Gift Exchange Beta

Gift exchange SQLi Updated 23 March upgrade beta 1.0.1

RokDownloads

[LFI] 15 march 2010 upgrade to version 1.0

gigcalender

SQLi gigcalender 13 march 2010

heza content

SQLi heza content 13 march 2010

juliaportfolio

LFI juliaportfolio 13 march 2010 withdrawal and update notice

Flash Magazine Deluxe

SQL Injection Vulnerability. Feb 25 Developer Update Version 2.0.11 09/03/10

SqlReport

Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. Feb 20 Not Known

Scriptegrator

Core Design Scriptegrator RFI exploit Feb 20 Dev Upgrade announcement

AllVideos 3.1

A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]|

17 Feb Version 3.3 release 18th

RW Cards

RW Card LFI and ID exploit Dev Site 180210 developer update

Yelp

SQLi - Unable to locate developer. Possibly a custom extension. Feb 01 Not Known

Autartitarot

Directory Traversal. Back end access required Feb 05 Please upgrade to version 1.0.4

communitypolls

LFI - community polls Feb 17 upgrade to version 1.5.3

This list is change protected, for updates or additions Mandville or lafrance

Codes used

SQLi - SQL injection wikipedia

LFI - Local File Inclusion scribd

RFI - Remote file inclusion wikipedia

DT - Directory Traversal wikipedia

ID = Information Disclosure: account information or sensitive information publicly viewable




Future Actions & WIP

RSS feed completed


to feed VEL direct to twitter

Notes

The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville