Actions

Archived

Cleared vulnerable extensions

From Joomla! Documentation

Revision as of 11:46, 8 July 2013 by Mandville (Talk | contribs)

Replacement filing cabinet.png
This page has been archived - Please Do Not Edit or Create Pages placed in this namespace. The pages in the Archived namespace exist only as a historical reference, it will not be improved and its content may be incomplete.
Documentation all together tranparent small.png
Under Construction

This article or section is in the process of an expansion or major restructuring. You are welcome to assist in its construction by editing it as well. If this article or section has not been edited in several days, please remove this template.
This article was last edited by Mandville (talk| contribs) 15 months ago. (Purge)


This page is no longer maintained. For current resolved VEL issues refer to http://vel.joomla.org


Previously Vulnerable extensions that are now patched are shown in blue

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

November 2009 Compiled Vulnerability Reports.

Items are not in any particular order.


Extension Details Reference Link Extension Update Link
com_ajaxchat Summary: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.New version release December 22,2009

Published: october 28 2009

CVE-2009-3822 update v 1.1
com_foobla_suggestions Summary: SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.

Published: 10/11/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3669 developer reported upgrade
com_cbresumebuilder Summary: SQL injection vulnerability in the JoomlaCache CB Resume Builder ('com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.

Published: 10/09/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3645 Developer Update
com_idoblog Summary: SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.

Published: 09/25/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3417 New Version v 1.1 (build 32)
com_alphauserpoints Summary: SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.

Published: 09/24/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3342 1.5.3
com_jreservation Summary: SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.

Published: 09/23/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3316 Updated 28th Jan fixed 13th Nov
com_aclassf Summary: SQL injection vulnerability in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than CVE-2009-2567.

Published: 09/10/2009 CVSS Severity: 7.5 (HIGH)

CVE-2009-3154 Developer latest component
com_agora Summary: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.

Published: 09/03/2009 CVSS Severity: 6.8 (MEDIUM)

CVE-2009-3053 3.0.7
com_content Summary: SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.

Published: 08/10/2009 CVSS Severity: 7.5 (HIGH)

CVE-2008-6923 Resolution
JUMI There is a backdoor in JUMI that installs itself when JUMI is installed on your web site. It sends your credentials to a website, and sets up a back door for remote code execution.

Please remove JUMI2.0.5 immediately. It will be simple enough to remove the compromised code from this download, but you need to do a full security audit on your site as well as you have been compromised. Added November 2009

Report Jumi Update
com_photoblog Input Validation Error Added November 2009 36809 webguerilla Photoblog alpha 3b
BF Survey Pro Summary: SQL injection vulnerability in the BF Survey Pro v1.2.5 or lower (fixed in version 1.2.6). BF Survey Basic v1.0 (fixed in version 1.1). BF Quiz v1.1.1 (fixed in version 1.2 or greater) Added November 2009 tamlyncreative.com.au update
Joo!BB 0.9.1 Summary: Persistent XSS/MySQL Injection vulnerabilities in Joo!BB 0.9.1 Added November 2009 joob.org update
sh404sef Summary: sh404sef URI XSS Vulnerability Added November 2009 jeffchannell.com update
AWD Wall 1.5 Summary AWD Wall 1.5 Blind SQL Injection Vulnerability.The Joomla component AWD Wall 1.5 suffers from an SQL Injection vulnerability in its handling of the 'cbuser' parameter.Added November 2009 Notice developer update
!JoomlaComment 4.0 beta1 Summary: !JoomlaComment 4.0 beta1, a commenting plugin, suffers from multiple XSS vulnerabilities. Added November 2009 Alert ' Developer Notice 4.0 rc1
Kunena 1.5.x Summary: This is an important security release and users are urged to update immediately. Five security issues and an Internet Explorer 8 table bug have been resolved in this release. This release also contains many other important bug fixes. Added 18 November 2009 Advisory Latest 1.5.8 Version
NinjaMonials Summary: SQL injection vulnerability in the NinjaMonials (com_ninjacentral) component 1.1.0 for Joomla 1.0.x ! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php. Added 18 November 2009 CVE-2009-3964 developer patch Ver 1.2
webee 1.1.1 &1.2 Summary: webee 1.1.1, a Joomla commenting plugin, suffers from multiple vulnerabilities. webee has been updated to 1.2 as of 12 November 2009 and still suffers from SQL Injection. XSS was not tested in 1.2. Added 19 November 2009 jeffchannell.com developer update ver2.0
iF Portfolio Nexus Summary: The iF Portfolio Nexus component for Joomla! is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements using the id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 secunia.com 37408/ iF Portfolio Nexus v1.1.1 released
Joomla XML Summary: Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number, via a direct request.

Published: 11/16/2009

CVE-2009-3946 Resolution
Sermon speaker Summary: sermon speaker sql vulnerability and password reset vulnerability version 3.2 and below Developer fix 30 Nov 2009
MusicGallery Summary: Component MusicGallery SQL Injection Vulnerability 30 November Joomla 1.5 CVE-2009-4217 developer

December 2009 Compiled Reports

Extension Details Reference Link Extension Update Link
Omilen Photo Gallery Summary: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.

Published: 12/04/2009

CVE-2009-4202 Not Known
Seminar Summary: SQL injection vulnerability in the Seminar (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.

Published: 12/04/2009

CVE-2009-4200 Not Known
Mambo Resident Summary: Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) property_uid parameter in a viewproperty action to index.php and the (2) regID parameter in a showregion action to index.php. Mambo Resident component for v4.5.2 may only be for 1.0.xx versions of J!

Published: 12/04/2009

CVE-2009-4199 Replacement Extension 08 dec 09
ProofReader Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM) CVE-2009-4157 Not Known
Laoneo Google Calendar GCalendar Summary: SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) Note: There is already a listing for GCalendar 1.1.2 CVE-2009-4099 Latest version GCalendar Suite 2.1.5
D4J eZine Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) CVE-2009-4094 Not Known
Quick News Summary: The Joomla Quick News component suffers from a remote SQL injection vulnerability. added 1st Dec 09 Reference Not Known
Joaktree component Summary: Joaktree Vulnerability : SQL injection/ added 1st Dec 09 7508 version 1.1 update
mojoblog Summary MojoBlog Multiple Remote File Include Vulnerability added 1st Dec 09 Joomla 1.5 7509 Not Known
YJ Whois Summary: YJ Whois Low security risk,and fixesMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Files affected is , modules/mod_yj_whois.php added 3 December 09 Reference Developer Notice and fix 03 dec 09
yt_color YOOOtheme Summary: YT_color yootheme Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. added 5 dec 09 Reference All members without an active membership can download the template patches here.
TP Whois summary: TP Whois Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account. Added 3 december Joomla 1.5 Refrence Not Known
com_job Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec Reference Not Known
JQuarks Summary: JQuarks SQL injection vulnerability Joomla 1.5 added 8th dec 09 Reference Developer Update
Mamboleto Component 2.0 RC3 Summary: Mamboleto Component 2.0 RC3SQL injection vulnerability Joomla 1.5 added 12 December Reference Not Known
JS JOBS Summary JS JOBS Joomla Component com_jsjobs 1.0.5.6 SQL Injection Vulnerabilities Joomla 1.5 added 12 December Reference Developer update 1.0.5.7
corePHP JPhoto Summary: 'corePHP' JPhotoSQL injection vulnerability Joomla 1.5 added 12 December Reference Developer Upgrade
com_virtuemart Summary: "com_virtuemart" http://virtuemart.net/ Version : 1.0 Vulnerability : SQL injection added Date : 07- dec -09 Joomla 1.5 Reference latest version
Kide Shoutbox Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08 CVE-2009-4232 Not Known
JoomPortfolio Component Summary: JoomPortfolio Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18 Joomla 1.5 Reporting Site Not Known
City Portal (templates?) Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18 Reference Possibly this tempate Not Known
Event Manager Summary: Event Manager Blind SQL Injection Vulnerability EDB-ID: 10549

added: 2009-12-18

Reference Not Known
com_zcalendar Summary: com_zcalendar Blind SQL-injection Vulnerability

EDB-ID: 10548 added: 2009-12-18

Reference Not Known
com_acmisc Summary: com_acmisc SQL injection added: 2009-12-18 Reference Not Known
com_digistore Summary: com_digistore SQL injection EDB-ID: 10546 added: 2009-12-18 Joomla 1.5 Reference Update change log
com_jbook Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18 Joomla 1.0 Reference Not Known
com_personel Summary: com_personel component for Joomla! is vulnerable to SQL injection. iss.net reference Not Known
JEEMA Article Collection Summary: JEEMA Article Collection Input passed via the "catid" parameter to index.php (when "option" is set to "com_jeemaarticlecollection" and "view" is set to "longlook") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. version 1.0.0.1 Joomla 1.5 added 22 dec 09 secunia fixed the same in the version v102.
HotBrackets Tournament Brackets Summary: The HotBrackets Tournament Brackets component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Joomla 1.5 added 22 dec Reference Not Known
Car Manager Summary: http://webformatique.com/ com_carman Cross Site Scripting Vulnerability added 24 december 09Joomla 1.5 Reference Not Known
Schools component Summary: The 'com_schools' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Reference added 24 dec 09 Not Known
webcamxp com_webcamxp Cross Site Scripting Vulnerabilities Last version 2008 Joomla 1.5 Dec 27 Reference Not Known
beeheard beeheard Blind SQL injection Vulnerability Joomla 1.5 Dec 27 Reference Version 1.4.2 04 Jan
jm-recommend jm-recommendCross Site Scripting Vulnerabilities. unable to locate on jed. Joomla 1.5 Dec 27 Reference Not Known
facileforms com_facileforms Cross Site Scripting Vulnerabilities. unable to locate on jed. Product considered retired. Joomla 1.5 Dec 27 Reference Not Known
adagency adagency Vulnerabilities Joomla 1.5 Dec 27 Reference Not Known
com_intuit com_intuitLocal File Inclusion Vulnerability Joomla 1.5 Dec. 27 Reference Retired
MemoryBook MemoryBook 1.2 Multiple Vulnerabilities. requires: magic quotes OFF, user account Joomla 1.5 Dec. 27 Reference Not Known
qpersonel qpersonel Cross Site Scripting Vulnerabilities Joomla 1.0File:Http://extensions.joomla.org/images/jed/compat 15 legacy.png Dec. 27 Reference Not Known
opryknings point com_oprykningspoint_mc Cross Site Scripting Vulnerabilities Joomla 1.5 Dec. 27 Reference Not Known
trabalhe conosco com_trabalhe_conosco Cross Site Scripting Vulnerabilities Joomla 1.5 Dec. 27 Reference Not Known
DhForum com_dhforum SQL Injection Vulnerability. considered retired/EOL Dec. 27 Joomla 1.01.5 legacy Reference Not Known
com_morfeoshow morfeoshow this was a false report Reference false report
Run Digital Download rd-download RD Download Local File Disclosure Vulnerability Joomla 1.5 Dec. 30 Version affected not disclosed. Reference Version 0.9 relased

<math>Insert formula here</math>