Actions

Archived

Vulnerable Extensions List

From Joomla! Documentation

Revision as of 12:45, 19 May 2013 by Mandville (Talk | contribs)

Replacement filing cabinet.png
This page has been archived - Please Do Not Edit or Create Pages placed in this namespace. The pages in the Archived namespace exist only as a historical reference, it will not be improved and its content may be incomplete.


Info non-talk.png
General Information

This document has now been replaced by the website at vel.joomla.org from 1st May 2013 Please refer to there for the latest updates

List prior to Jnuary 2011 (now archived) Please check here also. Please also check the Extension Investigation List.

Contents

Check and Report.

Please check with the extension publisher in case of any questions over the security of their product.

Info non-talk.png
General Information

All reports are now to be made via vel.joomla.org

Report Vulnerable extensions in the vel website

How to use this list

Items will be removed after a suitable period and not on resolution.

Info non-talk.png
General Information

This document has now been replaced by the website at vel.joomla.org from 1st May 2013 Please refer to there for the latest updates

All known vulnerable extensions are the listed in the first column "Extension". Any in a red box are where we have not been given a fix. Any in a turquoise box contain a link to the notice about an update with link. Any that are in an uncolored box are a "Contact the Developer About This Extension". Alert Advisory details are in the center column. If the "Extension Update Link & Date Column has Not Known then it is where no update is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers - How to get yourself removed from the VEL

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Email the VEL team with a notice of resolution, the latest version number and a link to the security release statement on your website

6- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page

VEL email can be found above and the JED support link is in your notice of "unpublication" and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

January 2012 and onwards Reported Vulnerable Extensions

Extension Details Date Added Extension Update Link & Date

civic crm 422

upload exploit /RFI 260413 developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1

alfcontact

xss 230413 developer release statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3

aiContactSafe 2.0.19

xss 160413 developer release statement for version 2.0.21

RSfiles

SQL 180313 developer release statement for version 12

Multiple Customfields Filter for Virtuemart

SQLi 18212 developers 1.6.8 update statement

Collector

Various [steevo.fr] 230113 developer update statement to 0.5.1

tz guestbook

Various 100113 developer release statement for 1.1.2

extplorer

2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass 251212 developer update to 2.1.3 statement

JooProperty

SQLi 101212 developer release new version 1.13.1 - upgrade notice

Multiple Customfields Filter for Virtuemart

SQLi 18212 developers update statement

ag google analytic

Various 061212

sh404sef <3.7.0

Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5 26112 developer statement

Login Failed Log

23112 ID - information disclosure developer release statement to ver 1.5.4

jNews

131112 developer update statement to version 7.9.1 151112


Joombah Jobs

Upload restriction issues 131112 developer update statement

commedia

RFI 231012 developer update statement to version 3.2 271012


Kunena

SQLi + ID 221012 Developer states current version not exploitable by reported methods


Icagenda

SQLi Developer statement for 1.2.9

JTag [joomlatag]

SQLi

Freestyle Support

SQLi developer update statement 251012

ACEFTP

DT 011012 AceFTP 2.0.0 released. Developer statement 101012

MijoFTP

DT 011012 *reported fixed prior to notification*

spider calendar lite

RFI 180912 developer release version 1.5 version

RokModule

SQLi Rereported 180912 Developer states: no known exploits for our current versions of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4

ICagenda

SQLi developer security release - v1.2.1 080912


En Masse cart

RFI 060812 Developer upgrade statement to 3.1.3

JCE (joomla content editor)

Upload Restriction <2.2.4 050812 Developer states current version not exploitable

RSGallery2

SQLi XSS 31 07 12 Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 released

osproperty

Unrestricted uploads 160712 Developer release version 2.0.3 180712

KSAdvertiser

RFI 160712 The security update version 1.5.72 advise can be found here:

German English

Shipping by State for Virtuemart

elevated permissions (http://web-expert.gr/en) 160612 Upgrade to v2.5 download commercial product 300612

ownbiblio 1.5.3

SQLi + 250512

Ninjaxplorer <=1.0.6

developer notification 250412 developer statement upgrade to 1.0.7

Phoca Fav Icon

Permissions Rewrite 150412 developer update 2.0.3 statement

estateagent improved

sqli (eaimproved.eu) 110412 developer states previous version, not current version

bearleague

110412 sql (no longer maintained)

JLive! Chat v4.3.1

DT 060412 Developer reports as unproven

virtuemart 2.0.2

SQLi 050412 developers release statementCurrent version 2.0.6 released

JE testimonial

SQLi 230312 Developer states malicious report.

JaggyBlog

excessive file permission 090212 version 1.3.1 released

Quickl Form

xss 260112

com_advert

sqli - unknown developer 240112

Joomla Discussions Component

sqli 180112 Discussions 1.4.1 released developer statement

HD Video Share (contushdvideoshare)

sqli 180112 updated version 2.2

Simple File Upload 1.3

RFI 010112 Developer update statement to 1.3.5

January 2011 - Jan 2012 Reported Vulnerable Extensions

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes

Extension Details Date Added Extension Update Link & Date

Simple File Upload 1.3

RFI 010112 Developer update statement to 1.3.5

Dshop

sqli (possibly dhrusya.com) 201111

QContacts 1.0.6

sqli 131211

Jobprofile 1.0

SQL Injection Vulnerability 051211

JX Finder 2.0.1

XSS Vulnerabilities 011211

wdbanners

Unknown Exploit 301111

JB Captify Content J1.5 and J1.7

Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip 141111 All extensions available on the site have been updated and this potential security issue has been resolved.

JB Microblog

Security checks missing - J1.7 only. Versions prior to 1.10.3 14111 All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.

JB Slideshow <3.5.1,

Security checks missing 141111 All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.

JB Bamboobox

Security checks missing - J1.5 all versions prior to 1.2.2 141111 All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.

RokModule

SQLI - exploits RokStock RokWeather RokNewspager 121111 developer release statement RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5

hm community

Multiple Vulnerabilities 011111 developer release 1.01

Alameda

SQLi 01111 developer statement and Latest version number v1.0.1.

Techfolio 1.0

Techfolio 1.0 SQLI 291011

Barter Sites 1.3

Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities 291011 developer release 1.3.1

Jeema SMS 3.2

Jeema SMS 3.2 Multiple Vulnerabilities 291011 developer resolution notice for 3.5.2

Vik Real Estate 1.0

Vik Real Estate 1.0 Multiple Blind SqlI 291011

yj contact

LFI (youjoomla contact) 241011 developer update statement 261011

NoNumber Framework

Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview 181011 see http://feeds.feedburner.com/nonumber/news for updates of various extensions

Time Returns

SQLi takeaweb.it 151011 No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it

Simple File Upload

LFI 300811 developer advice page

Jumi

LFI 300811 Developer states proper use of joomla administration/extension documentation reading

Joomla content editor

JCE lfi/rfi vulnerability JCE 2.0.11 and JCE 1.5.7.14 have been released

Google Website Optimizer

Numerous vulnerabilities. Website Optimizer, Pearl Group 290811 developer update statement to ver. 1.4.0

Almond Classifieds

777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) 260811 developer resolution notice

joomtouch

LFI/RFI 180811 developers resolution notice 1.0.3

RAXO All-mode PRO

Timthumb RFI 110811 developer upgrade 1.5.0 statement

V-portfolio

DT - open folders 110811 developer resolution statement

obSuggest

LFI 310711 developer release statement

Simple Page

LFI 230711 developer update statement v1.5.17 has been released

JE Story

LFI 230711 devloper security update notice to ver 1.9

appointment booking pro

LFI 22071 developer update security announcement Current 2.0.1 and 1.4.x versions, are not vulnerable,

acajoom

xss (admin permission required) 220711 updated to 5.20

gTranslate

ID - 220711 developer security release 1.5 x.25 and 1.6 x.26.

alpharegistration

http://www.alphaplug.com/ Please contact the developer for any questions on this extension 170711 220711

Jforce

DT - 170711 developer states The new version number v1.5r1362 resolves the problem

Flash Magazine Deluxe Joomla

ID multiple vulnerabilities 170711 developer release 2.1.4

AVreloaded

SQLi - version 1.2.6 150711 1.2.7 released developer release statement 160711

Sobi

SQLI - 130711 developer fix and update statement

fabrik

sqli 120711 Developers Update statement 2.1

xmap

sqli 1.2.11 120711 upgrade to 1.2.12

Atomic Gallery

Creates 777 folders Atomic gallery 110711 developer release statement/changelog

myApi

ID Contains "Call-Home" function. Sends private user information to developer. 020711 Developer states Use version 1.3.4.1

mdigg

SQL I (not listed in JED) 020711

Calc Builder

sqli + ID 180611 dev security release 0.0.2

Cool Debate

Cool Debate 1.03 LFI version 1.0.8 released.

Scriptegrator Plugin 1.5.5

LFI 140611 Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6

Joomnik Gallery

SQLi developer update to 0.9.1

JMS fileseller

LFI 0611 developer upgrade announcement to v1.1

sh404SEF

low-level XSS security issue 300511 Dev upgrade statement to 2.2.6

JE Story submit

LFI/RFI developer states Version 1.8

FCKeditor

File Upload Vulnerability 230511

KeyCaptcha

ID 190511

Ask A Question AddOn v1.1

SQLi 160511

Global Flash Gallery

flash-gallery.com xss 130511 dev release 0.5.0 statement

com_google

LFI com_google 080511 devs update to 1.5.1

docman

com-docman Input Validation Error 160511 devs resolution statement, report for old version

Newsletter Subscriber

XSS 120511 Deveopler update

Akeeba

akkeba backup and joomlapack 170411 dev update to 3.2.7

Facebook Graph Connect

SID. call home device with user credentials 120411 dev update notice

booklibrary

SQLi ordasoft booklibrary 180311 developer upgrade instructions

semantic

com semantic http://www.scms.es/joomla creates hidden admin users 150311

JOMSOCIAL 2.0.x 2.1.x

SID, open folders 120311

flexicontent

forced 777, malicious files 250311 devs resolve statement, Changelog

jLabs Google Analytics Counter

jLabs Google Analytics Counter SID

xcloner

Unspecified 260211 dev announcement of security release

smartformer

RFI 230211 (repeat of 041110) v2.4.1 security fix for Joomla 1.5.x

xmap 1.2.10

Malicious payload in zip 230211 developer resolution notice Clean version available from joomlacode

Frontend-User-Access 3.4.1

Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI 030211 update to Frontend-User-Access 3.4.2

com properties 7134

http://com-property.com/ malicious files in script Dev update statement

B2 Portfolio

B2 portfolio 1.0 SQLi pulseextensions.com 250111

allcinevid

SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 220111 Developers resolution notice

People Component

People component http://www.ptt-solution.com/vmchk/people-component.html sqli 150111

Jimtawl

Jimtawl LFI 251110

Maian Media SILVER

Maian Media SQLi 151110 Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article

alfurqan

alfurqan 1.5 sqli 151110 developer update statement

ccboard

ccboard XSS and SQLi 131110 on my site at [1] Please find the respective update information

ProDesk v 1.5

LFI 091110


sponsorwall

SQL injection pulseextensions.com 011110 developer resolution notice


Flip wall

SQL injection pulseextensions.com 011110 developer http://demo.pulseextensions.com/flip-wall.html update notice link title

Freestyle FAQ 1.5.6

http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 ‎SQL Injection new version (1.9.0) is available which fixes the security issues.

iJoomla Magazine 3.0.1

iJoomla Magazine 3.0.1 RFI 090910

Clantools

http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli 090910

jphone

jphone LFI 090910

PicSell

LFD, 777 020910 new version released 150312 version number 11

Zoom Portfolio

SID 020910

zina

SQL Injection 020910

Team's

Teams extension SQL Injection 120810

Amblog

Amblog SQLi 120810

wmtpic

www.webmaster-tips.net various 010710


Jomtube

http://www.jomtube.com/ SID 220710

Rapid Recipe

http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 july 10,2010

Health & Fitness Stats

http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010


staticxt

http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided


quickfaq

http://www.schlu.net sqli 090710

Minify4Joomla

http://waltercedric.com/ LFI and xss 090710 No longer available to download

IXXO Cart

http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability developer resolution notice

PaymentsPlus

http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability 090710 current version 2.20, 2.1.5 not listed on dev site

ArtForms

http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities 090710 Old beta extension

autartimonial

autartica.be Sqli Vulnerability 060710



eventcal 1.6.4

http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode 040710



date converter

http://sourceforge.net/projects/date-converter/ sqli 010710


real estate

http://www.opensourcetechnologies.com/demos/real-estate.html RFI 210610


cinema

SQL injection 190610

Jreservation

http://jforjoomla.com/ SQLi Vulnerability 190610

joomdocs

http://joomclan.com/index.php/JoomDocs/ xss vulnerability 190610

Live Chat

http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities 190610

Turtushout 0.11

http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) 190610

BF Survey Pro Free

BF Survey Pro Free SQL Injection Exploit 190610 Product marker as retired by the developer

MisterEstate

http://www.misterestate.com/ Blind SQL Injection Exploit 190610

RSMonials

http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit 190610 Believed to be 1.5.1 version


Answers v2.3beta

Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 180610

Gallery XML 1.1

Multiple Vulnerabilities

http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504

180610

JFaq 1.2

JFaq 1.2 Multiple Vulnerabilities 180610

Listbingo 1.3

Multiple Vulnerabilities

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062

180610

Alpha User Points

www.alphaplug.com LFI 180610

recruitmentmanager

http://recruitment.focusdev.co.uk Upload Vulnerability 130610

Info Line (MT_ILine)

http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file 120610


Ads manager Annonce

http://joomla.clubnautiquemarine.fr/

Upload Vulnerability

05/06/10

lead article

http://www.leadya.co.il/ SQLi 050610

djartgallery

http://www.design-joomla.eu Multiple Vul 05/06/10

Gallery 2 Bridge

g2bridge LFI vulnerability

jsjobs

jsjobs SQL Injection Vulnerability

JE Poll

http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability

MediQnA

MediQnA LFI vulnerability version : v1.1

JE Job

http://joomlaextensions.co.in/ LFI SQLi

SectionEx

Stack Ideas section Ex LFI

ActiveHelper LiveHelp

XSS in LiveHelp 200510

JE Quotation Form

http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI developers statement of resolution note, now known as JE Quote Form

konsultasi

SQL Injection Vulnerability

Seber Cart

Local File Disclosure Vulnerability Developer Update 140510

Camp26 Visitor

RFI www.camp26.biz


JE Property

JE Property Finder Upload Vulnerability

Noticeboard

Noticeboard for Joomla "controller" Local File Inclusion Vulnerability

SmartSite

SmartSite com_smartsite Local File Inclusion Vulnerability

htmlcoderhelper graphics

htmlcoderhelper graphics v1.0.6 LFI Vulnerability

Ultimate Portfolio

Ultimate Portfolio Local File Inclusion Vulnerability

Archery Scores

Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability 210410

ZiMB Manager

Joomla Component ZiMB Manager Local File Inclusion Vulnerability 210410

Matamko

Matamko Local File Inclusion Vulnerability 210410

Multiple Root

Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/

Multiple Map

Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

Contact Us Draw Root Map

Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

iF surfALERT

iF surfALERT Local File Inclusion Vulnerability

GBU FACEBOOK

GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/

jnewspaper

jnewspaper (cid) SQL Injection Vulnerability



MT Fire Eagle

LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com 190410 product considered retired and to be replaced by dev

Sweetykeeper

Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ 120410

jvehicles

SQL Injection http://jvehicles.com 120410

worldrates

http://dev.pucit.edu.pk/ 120410

cvmaker

http://dev.pucit.edu.pk/

advertising

http://dev.pucit.edu.pk/

horoscope

http://dev.pucit.edu.pk/ 120410

webtv

http://dev.pucit.edu.pk/ 120410

diary

http://dev.pucit.edu.pk/ 120410

Memory Book

http://dev.pucit.edu.pk/ 120410

JprojectMan

LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 110410

econtentsite

LFI 040410

Jvehicles

ID 040410

gigcalender

SQLi gigcalender 13 march 2010

heza content

SQLi heza content 13 march 2010


SqlReport

Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. Feb 20 Not Known

Yelp

SQLi - Unable to locate developer. Possibly a custom extension. Feb 01 Not Known

This list is change protected, for updates or additions Mandville or lafrance or PhilD

Codes used

SQLi - SQL injection wikipedia

LFI - Local File Inclusion scribd

RFI - Remote file inclusion wikipedia

DT - Directory Traversal wikipedia (incl 777 folders)

ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge

Future Actions & WIP

RSS feed completed


to feed VEL direct to twitter

Notes

The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville