Difference between revisions of "Vulnerable Extensions List"
From Joomla! Documentation
(Remove under investigation page link now deleted) |
|||
(701 intermediate revisions by 12 users not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
+ | {{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013] | ||
+ | Please refer to there for the latest updates}} | ||
+ | |||
+ | <!-- ***all wiki editors*** - do NOT touch without notice --> | ||
+ | '''List prior to January 2011 ([[Archived vel|now archived]])''' Please check here also. | ||
+ | <!-- if you have altered the above line then revert your changes and contact me --> | ||
+ | |||
+ | == Check and Report. == | ||
'''Please check with the extension publisher in case of any questions over the security of their product.''' | '''Please check with the extension publisher in case of any questions over the security of their product.''' | ||
− | Report Vulnerable extensions | + | {{notice|small=yes|image=Stop hand nuvola.svg |
− | + | |header=Procedure change|All reports are now to be made via vel.joomla.org}} | |
+ | Report Vulnerable extensions in the [http://vel.joomla.org vel website] | ||
+ | *If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly | ||
== How to use this list == | == How to use this list == | ||
− | '''Items will be removed after a suitable period and not on resolution''' | + | '''Items will be removed after a suitable period and not on resolution.''' |
− | All known vulnerable extensions are the listed in the first column. Any in <span style="background:red; color:white"> | + | {{notice|This document has now been replaced by the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013] |
− | + | Please refer to there for the latest updates}} | |
− | + | ||
+ | All known vulnerable extensions are the listed in the first column "Extension". Any in a <span style="background:red; color:white">red box </span>are where we have not been given a fix. Any in a <span style="background:#cef2e0; color:black">turquoise box</span> contain a link to the notice about an <span style="background:#cef2e0; color:black">update with link.</span> Any that are in an uncolored box are a "Contact the Developer About This Extension". | ||
+ | Alert Advisory details are in the center column. | ||
+ | If the "Extension Update Link & Date Column has <span style="background:red; color:white">'''Not Known''' </span> then it is where no update is known. | ||
'''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.'' | '''This list is compiled from found information and may not be an up to date accurate list''' ''We do '''NOT''' promise to test or validate these reports. We do '''NOT''' guarantee the quality or effectiveness of any updates reported to us or listed here.'' | ||
To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link] | To sign up for the feed please [http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions follow this link] | ||
+ | * We do not list BETA products, or extensions for J1.0.x | ||
+ | |||
+ | == Developers - How to get yourself removed from the VEL == | ||
+ | |||
+ | Resolved items will be removed after a suitable period and not on resolution | ||
+ | |||
+ | Please solve the issues and: | ||
− | + | * '''If JED listed''' | |
− | + | ||
+ | To have your extension republished, please follow these steps: | ||
+ | |||
+ | 1- Solve the issues. | ||
+ | |||
+ | 2- Attach the new zip file at your actual JED listing. | ||
+ | |||
+ | 3- Change the extension version at JED listing. | ||
+ | |||
+ | 4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately. | ||
+ | |||
+ | 5-complete the resolution form on the website at [http://vel.joomla.org/ vel.joomla.org from 1st May 2013] | ||
+ | |||
+ | 6- Create a [http://bit.ly/velunlist JED listing owner ticket] to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page | ||
− | + | VEL email can be found above and the JED support link is in your notice of "unpublication" [http://extensions.joomla.org/component/maqmahelpdesk/ and here] | |
+ | * '''If not JED listed.''' | ||
+ | Inform us by '''email''' with a notice of resolution, the latest version number '''and''' a link to the security release statement on your website. | ||
+ | == January 2012 and onwards Reported Vulnerable Extensions == | ||
+ | <startFeed /> | ||
{| class="wikitable sortable" border="1" | {| class="wikitable sortable" border="1" | ||
|- | |- | ||
! '''Extension''' | ! '''Extension''' | ||
! class="unsortable"| '''Details''' | ! class="unsortable"| '''Details''' | ||
− | ! ''' | + | ! '''Date Added''' |
− | ! | + | ! class="unsortable" |'''Extension Update Link & Date''' |
+ | |||
+ | |- | ||
+ | | | ||
+ | == civic crm 422== | ||
+ | |upload exploit /RFI | ||
+ | |260413 | ||
+ | |developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1 | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | == alfcontact == | ||
+ | |xss | ||
+ | |230413 | ||
+ | |developer release [http://www.alfsoft.com statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3] | ||
+ | |||
+ | |- | ||
+ | | | ||
+ | == aiContactSafe 2.0.19 == | ||
+ | |xss | ||
+ | |160413 | ||
+ | |developer release statement [http://www.algisinfo.com/en/home-bottom/41-xss-in-aicontactsafe.html for version 2.0.21] | ||
+ | |||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == RSfiles== | ||
+ | |SQL | ||
+ | |180313 | ||
+ | |developer release statement [http://www.rsjoomla.com/support/documentation/view-knowledgebase/141-changelog.html for version 12] | ||
+ | |||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == Multiple Customfields Filter for Virtuemart == | ||
+ | |SQLi | ||
+ | |18212 | ||
+ | |developers [http://myext.eu/en/update/47-v1-66 1.6.8 update statement] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == Collector == | ||
+ | |Various [steevo.fr] | ||
+ | |230113 | ||
+ | |developer update [http://www.steevo.fr/en/component/content/article/41-release-051 statement to] 0.5.1 | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == tz guestbook == | ||
+ | |Various | ||
+ | |100113 | ||
+ | |developer release statement [http://www.templaza.com/item/256-tz-guestbook-v1-1-2-security-release for 1.1.2] | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == extplorer == | ||
+ | | 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass | ||
+ | |251212 | ||
+ | |developer [http://extplorer.net/news/12 update to 2.1.3 statement] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == JooProperty == | ||
+ | |SQLi | ||
+ | |101212 | ||
+ | |developer release new version 1.13.1 - [http://jooproperty.com/en/forum/last-jooproperty-release/277-important-security-fix-released-please-update.html#277 upgrade notice] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == Multiple Customfields Filter for Virtuemart == | ||
+ | |SQLi | ||
+ | |18212 | ||
+ | |developers [http://myext.eu/en/update/47-v1-66 update statement] | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == ag google analytic == | ||
+ | |Various | ||
+ | |061212 | ||
+ | | | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == sh404sef <3.7.0 == | ||
+ | |Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5 | ||
+ | |26112 | ||
+ | |developer [http://anything-digital.com/sh404sef/news/releases/sh404sef-3_7_0_1485-released.html statement] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == Login Failed Log == | ||
+ | |23112 | ||
+ | |ID - information disclosure | ||
+ | |developer [http://www.jm-experts.com/extensions-tools/login-failed-log release statement] to ver 1.5.4 | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == jNews== | ||
+ | | | ||
+ | |131112 | ||
+ | |developer update [http://www.joobi.co/index.php?option=com_content&view=article&id=8560:security-release-update-to-jnews-79x&catid=93:jnews&Itemid=225 statement to version 7.9.1] 151112 | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | |||
+ | == Joombah Jobs == | ||
+ | |Upload restriction issues | ||
+ | |131112 | ||
+ | |developer update [http://www.joombah.com/home/item/joombah-jobs-security-release-update-now statement] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == commedia == | ||
+ | |RFI | ||
+ | |231012 | ||
+ | |developer update [http://www.ecolora.com/index.php/15-commedia-a-mp3browser-new/77-commedia-3-2-is-not-vulnerable#english statement to version 3.2] 271012 | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | |||
+ | == Kunena == | ||
+ | |SQLi + ID | ||
+ | |221012 | ||
+ | |Developer states [http://www.kunena.org/forum/announcement/id-52 current version not exploitable] by reported methods | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | |||
+ | == Icagenda == | ||
+ | |SQLi | ||
+ | | | ||
+ | |Developer [http://www.joomlic.com/en/extensions/icagenda statement for 1.2.9] | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == JTag [joomlatag] == | ||
+ | |SQLi | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | == Freestyle Support == | ||
+ | |SQLi | ||
+ | | | ||
+ | |developer update [http://freestyle-joomla.com/help/announcements?announceid=60 statement 251012] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == ACEFTP == | ||
+ | |DT | ||
+ | |011012 | ||
+ | |AceFTP 2.0.0 released. Developer [http://www.joomace.net/blog/aceftp/aceftp-200-has-been-released statement] 101012 | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == MijoFTP == | ||
+ | |DT | ||
+ | |011012 | ||
+ | |*''reported fixed prior to notification''* | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == spider calendar lite == | ||
+ | |RFI | ||
+ | |180912 | ||
+ | |developer release version 1.5 [http://web-dorado.com/products/joomla-calendar-module.html version] | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == RokModule == | ||
+ | |SQLi | ||
+ | |Rereported 180912 | ||
+ | |Developer states: no known exploits for our current versions [http://www.rockettheme.com/extensions-downloads/free/1012-rokmodule of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == ICagenda == | ||
+ | | SQLi | ||
+ | |developer [http://www.joomlic.com/en/extensions/icagenda security release] - v1.2.1 | ||
+ | |080912 | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | |||
+ | == En Masse cart == | ||
+ | |RFI | ||
+ | |060812 | ||
+ | |Developer upgrade statement [http://www.matamko.com/news-update/14-en-masse-releases/142-announcement-for-security-release-enmasse-313.html to 3.1.3] | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == JCE (joomla content editor) == | ||
+ | |Upload Restriction <2.2.4 | ||
+ | |050812 | ||
+ | |Developer states current version not exploitable | ||
+ | |- | ||
+ | | | ||
+ | |||
+ | == RSGallery2 == | ||
+ | |SQLi XSS | ||
+ | | 31 07 12 | ||
+ | |Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 [http://www.rsgallery2.nl/topicseen./announcements/rsgallery2_3.2.0_and_2.3.0_released_16845.msg44046.html released] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == osproperty == | ||
+ | |Unrestricted uploads | ||
+ | |160712 | ||
+ | |Developer release [http://joomservices.com/components/ossolution-property.html version 2.0.3] 180712 | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == KSAdvertiser == | ||
+ | | RFI | ||
+ | |160712 | ||
+ | |The security update version 1.5.72 advise can be found here: | ||
+ | [http://www.kiss-software.de/index.php?option=com_content&view=article&id=251:kiss-advertiser-sicherheitsupdate&catid=69&Itemid=361&lang=de German] [http://www.kiss-software.de/index.php?option=com_content&view=article&id=252:kiss-advertiser-security-update&catid=21&Itemid=362&lang=en English] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == Shipping by State for Virtuemart == | |
− | | | + | |elevated permissions (http://web-expert.gr/en) |
− | + | |160612 | |
+ | | [http://web-expert.gr/en/commersial/virtuemart-shipping-by-state-component Upgrade to v2.5 download] commercial product 300612 | ||
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == ownbiblio 1.5.3 == | |
− | + | |SQLi + | |
− | | | + | |250512 |
− | | | + | | |
|- | |- | ||
− | | | + | | |
− | + | ||
− | + | == Ninjaxplorer <=1.0.6 == | |
− | + | |developer notification | |
− | | | + | |250412 |
− | | | + | |developer statement [http://ninjaforge.com/blog/318-security-vulnerability-discovered-in-ninjaxplorer-upgrade-immediately upgrade to 1.0.7] |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Phoca Fav Icon == | |
− | + | |Permissions Rewrite | |
− | + | |150412 | |
− | + | | [http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released developer update 2.0.3 statement] | |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == estateagent improved == | |
− | + | |sqli (eaimproved.eu) | |
− | | | + | |110412 |
− | | | + | |developer states previous version, not current version |
|- | |- | ||
− | | | + | | |
− | | | + | |
− | + | == bearleague == | |
− | + | |110412 | |
− | + | |sql | |
− | + | |(no longer maintained) | |
|- | |- | ||
− | | | + | | |
− | + | ||
− | + | == JLive! Chat v4.3.1 == | |
− | + | |DT | |
− | | | + | |060412 |
− | + | |Developer reports [http://www.cmsfruit.com/security-measures.html as unproven] | |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == virtuemart 2.0.2 == | |
− | + | |SQLi | |
− | | | + | |050412 |
− | + | |developers [http://virtuemart.net/news/list-all-news/417-happy-easter-new-virtuemart-204-released-security-update-sqli release statement]Current version 2.0.6 released | |
|- | |- | ||
− | | | + | | |
− | | | + | |
− | + | == JE testimonial == | |
− | + | |SQLi | |
− | | | + | |230312 |
− | | | + | |Developer states '''malicious report.''' |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == JaggyBlog == | |
− | + | |excessive file permission | |
− | + | |090212 | |
− | + | |version 1.3.1 [http://www.jaggysnake.co.uk/products/jaggyblog released] | |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == Quickl Form == | |
− | + | |xss | |
− | | | + | |260112 |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == com_advert == | |
− | + | |sqli - unknown developer | |
− | | | + | |240112 |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == Joomla Discussions Component == | |
− | + | |sqli | |
− | | | + | |180112 |
− | | | + | |Discussions 1.4.1 released [http://www.codingfish.com/news/38-joomla/101-discussions-141-released developer statement] |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == HD Video Share (contushdvideoshare) == | |
− | + | |sqli | |
− | | | + | |180112 |
− | + | |updated [http://www.hdvideoshare.net version 2.2] | |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Simple File Upload 1.3 == | |
− | + | |RFI | |
− | + | |010112 | |
− | + | | Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5 | |
|- | |- | ||
− | | | + | | |
− | + | ||
− | + | == == | |
− | + | | | |
− | + | | | |
− | + | | | |
+ | |}<endFeed /> | ||
+ | |||
+ | == January 2011 - Jan 2012 Reported Vulnerable Extensions == | ||
+ | |||
+ | |||
+ | '''Please check with the extension publisher in case of any questions over the security of their product.''' | ||
+ | Report Vulnerable extensions either in the [[jforum:432]] security topic clearly marked with the first word in the title being ''Vulnerable Report'' where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the [http://docs.joomla.org/Vulnerable_Extensions_List#Codes_used codes] | ||
+ | *If you are seeing this page on any site other than [http://docs.joomla.org/Vulnerable_Extensions_List the Offical Joomla Documentation] you may be seeing an out of date version or experiencing [http://en.wikipedia.org/wiki/Plagiarism plagiary] and the links may not work properly | ||
+ | |||
+ | <startFeed /> | ||
+ | {| class="wikitable sortable" border="1" | ||
|- | |- | ||
− | + | ! '''Extension''' | |
− | + | ! class="unsortable"| '''Details''' | |
− | + | ! '''Date Added''' | |
− | + | ! class="unsortable" |'''Extension Update Link & Date''' | |
− | |||
− | |||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | == Simple File Upload 1.3 == |
− | + | |RFI | |
− | + | |010112 | |
− | + | | Developer update [http://wasen.net/index.php?option=com_content&view=article&id=64:simple-file-upload-download&catid=40:project-simple-file-upload&Itemid=59 statement] to 1.3.5 | |
− | |||
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | | | + | |
− | + | == Dshop == | |
− | + | |sqli (possibly dhrusya.com) | |
− | | | + | |201111 |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == QContacts 1.0.6 == | |
− | + | |sqli | |
− | | | + | |131211 |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == Jobprofile 1.0 == | |
− | + | | SQL Injection Vulnerability | |
− | | | + | |051211 |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == JX Finder 2.0.1 == | |
− | + | | XSS Vulnerabilities | |
− | | | + | |011211 |
− | + | | | |
+ | |||
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == wdbanners == | |
− | + | |Unknown Exploit | |
− | | | + | |301111 |
− | | | + | | |
|- | |- | ||
− | | | + | | |
− | | | + | == JB Captify Content J1.5 and J1.7 == |
− | + | |Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip | |
− | + | |141111 | |
− | + | |All extensions available on the [http://joomlabamboo.com site have been updated] and this potential security issue has been resolved. | |
− | |||
|- | |- | ||
− | | | + | | |
− | | | + | |
− | + | == JB Microblog == | |
− | + | |Security checks missing - J1.7 only. Versions prior to 1.10.3 | |
− | | | + | |14111 |
− | + | |All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved. | |
|- | |- | ||
− | | | + | | |
− | + | ||
− | + | == JB Slideshow <3.5.1, == | |
− | + | |Security checks missing | |
− | + | |141111 | |
− | | | + | |All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved. |
|- | |- | ||
− | | | + | | |
− | |||
− | |||
− | |||
− | | | + | == JB Bamboobox == |
− | | | + | |Security checks missing - J1.5 all versions prior to 1.2.2 |
+ | |141111 | ||
+ | |All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved. | ||
|- | |- | ||
− | | | + | | |
− | | | + | == RokModule == |
− | + | |SQLI - exploits RokStock RokWeather RokNewspager | |
− | + | |121111 | |
− | + | |developer release statement [http://www.rockettheme.com/blog/extensions/1300-important-security-vulnerability-fixed RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5] | |
− | + | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == hm community == | |
− | + | |Multiple Vulnerabilities | |
− | + | |011111 | |
− | + | |developer release [http://joomlaextensions.co.in/product/HM-Community 1.01] | |
|- | |- | ||
− | | style="background:#cef2e0; color:black" | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == Alameda == | |
− | + | |SQLi | |
− | | | + | |01111 |
− | | | + | |developer statement [http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=category&id=5&Itemid=28 and Latest version number v1.0.1.] |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == Techfolio 1.0 == | |
− | + | |Techfolio 1.0 SQLI | |
− | + | |291011 | |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | == Barter Sites 1.3 == | ||
+ | |Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities | ||
+ | |291011 | ||
+ | |developer [http://my.barter-sites.com/index.php?option=com_content&view=article&id=6&Itemid=25 release 1.3.1] | ||
|- | |- | ||
− | | style="background:#cef2e0; color:black" | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == Jeema SMS 3.2 == | |
− | + | |Jeema SMS 3.2 Multiple Vulnerabilities | |
− | | | + | |291011 |
− | | | + | |developer resolution notice [http://jeema.net/about-us/securty-releases.html for 3.5.2] |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | + | ||
− | + | == Vik Real Estate 1.0 == | |
− | + | |Vik Real Estate 1.0 Multiple Blind SqlI | |
− | | | + | |291011 |
− | | | + | | |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == yj contact == | |
− | + | |LFI (youjoomla contact) | |
− | + | |241011 | |
− | + | |developer update statement [http://www.youjoomla.com/yj-contact-us-1.0.1-released.html 261011] | |
+ | |||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == NoNumber Framework == | |
− | + | | Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview | |
− | + | |181011 | |
− | + | |see http://feeds.feedburner.com/nonumber/news for updates of various extensions | |
|- | |- | ||
− | | | + | |style="background:red; color:white" | |
− | | | + | |
− | + | == Time Returns == | |
− | + | |SQLi takeaweb.it | |
− | + | |151011 | |
− | + | |No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it | |
− | |||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == Simple File Upload == |
− | | | + | |LFI |
+ | |300811 | ||
+ | |developer advice [http://wasen.net/index.php?option=com_content&view=article&id=64&Itemid=59 page] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == Jumi == | |
− | + | |LFI | |
− | | | + | |300811 |
− | | | + | |Developer states proper use of joomla administration/extension documentation reading |
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Joomla content editor == | |
− | + | |JCE lfi/rfi vulnerability | |
+ | | | ||
+ | |JCE 2.0.11 and JCE 1.5.7.14 [http://www.joomlacontenteditor.net/news/item/jce-2011-released have been released] | ||
+ | |||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == Google Website Optimizer == |
− | + | |Numerous vulnerabilities. Website Optimizer, Pearl Group | |
+ | |290811 | ||
+ | |developer update [http://www.pearl-group.com/optimizer-changelog statement to ver. 1.4.0] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | | | + | == Almond Classifieds == |
− | | | + | |777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) |
+ | |260811 | ||
+ | |developer resolution [http://www.almondsoft.com/acj/ notice] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == joomtouch == |
− | + | |LFI/RFI | |
+ | |180811 | ||
+ | |developers [http://www.joomtouch.com/ultime/4-risolta-la-vulnerabilita-di-joomtouch.html resolution notice 1.0.3] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == RAXO All-mode PRO == |
− | + | |Timthumb RFI | |
+ | |110811 | ||
+ | |[http://raxo.org/forum/viewtopic.php?f=2&t=60#p2056 developer upgrade 1.5.0 statement] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == V-portfolio == |
− | + | |DT - open folders | |
+ | |110811 | ||
+ | | [http://vsmart-extensions.com/index.php?option=com_content&view=article&id=61 developer resolution statement] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == obSuggest == |
− | + | |LFI | |
+ | |310711 | ||
+ | |developer [http://foobla.com/news/latest/obsuggest-1.8-security-release.html release statement] | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == Simple Page == |
− | + | |LFI | |
+ | |230711 | ||
+ | |developer update [http://omar84.com/latest-news/65-simple-page-options-1517-security-release statement] v1.5.17 has been released | ||
|- | |- | ||
− | | style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == JE Story == |
− | | | + | |LFI |
+ | |230711 | ||
+ | |[http://joomlaextensions.co.in/extensions/components/je-story-submit.html devloper security update] notice to ver 1.9 | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == appointment booking pro == |
− | + | |LFI 22071 | |
+ | | | ||
+ | |[http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 developer update security announcement] Current 2.0.1 and 1.4.x versions, are '''not''' vulnerable, | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == acajoom == |
− | | | + | |xss (admin permission required) |
+ | |220711 | ||
+ | |updated to 5.20 | ||
|- | |- | ||
− | | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == gTranslate == | |
− | + | |ID - | |
+ | |220711 | ||
+ | |[http://edo.webmaster.am/gtranslate-changelog developer security release] 1.5 x.25 and 1.6 x.26. | ||
|- | |- | ||
− | | style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == alpharegistration == |
− | | | + | |http://www.alphaplug.com/ Please contact the developer for any questions on this extension |
+ | |170711 220711 | ||
+ | | | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | | | + | == Jforce == |
− | | | + | |DT - |
+ | |170711 | ||
+ | | [http://www.jforce.com/blog/270-jforce-security-release.html developer states The new version number v1.5r1362 resolves the problem] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | | [http:// | + | == Flash Magazine Deluxe Joomla == |
− | | | + | |ID [http://www.joomplace.com/joomla-components/flash-magazine-deluxe-component.html multiple vulnerabilities] |
+ | |170711 | ||
+ | |[http://www.joomplace.com/news-blog/flashmagazine-deluxe-2-1-4-security-release.html developer release] 2.1.4 | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | |||
− | |||
− | |||
+ | == AVreloaded == | ||
+ | |SQLi - version 1.2.6 | ||
+ | |150711 | ||
+ | |[http://allvideos.fritz-elfert.de/ 1.2.7 released developer release statement 160711] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | == Sobi == |
− | |[http:// | + | |SQLI - |
− | + | |130711 | |
+ | |[http://www.sigsiu.net/changelog developer fix and update statement] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == fabrik == | |
− | | | + | |sqli |
− | | | + | |120711 |
+ | |[http://fabrikar.com/downloads/details/36/89 Developers Update statement 2.1] | ||
|- | |- | ||
− | | | + | | |
− | | | + | |
− | | | + | == xmap == |
− | + | |sqli 1.2.11 | |
+ | |120711 | ||
+ | |upgrade to 1.2.12 | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Atomic Gallery == | |
− | |[http://www. | + | |Creates 777 folders [http://www.atomicon.nl/atomicongallery Atomic gallery] |
− | + | |110711 | |
+ | |developer [http://www.atomicon.nl/atomicongallery#changelog release statement/changelog] | ||
|- | |- | ||
− | | | + | | |
− | | | + | |
− | | | + | == myApi == |
− | | [http:// | + | |ID [http://extensions.joomla.org/component/mtree/social-web/facebook-integration/11624 Contains "Call-Home" function. Sends private user information to developer.] |
+ | |020711 | ||
+ | |[http://www.myapi.co.uk/ Developer states Use version 1.3.4.1] | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
+ | == mdigg == | ||
+ | |SQL I (not listed in JED) | ||
+ | |020711 | ||
| | | | ||
− | |||
|- | |- | ||
− | + | |style="background:#cef2e0; color:black" | | |
− | |||
− | |||
− | |style="background:#cef2e0; color:black" | | ||
− | |||
− | - | + | == Calc Builder == |
+ | |sqli + ID | ||
+ | |180611 | ||
+ | | [http://components.moonsoft.es/downloadcalcbuilder dev security release 0.0.2] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
− | == | + | == Cool Debate == |
− | + | |Cool Debate 1.03 LFI | |
+ | | | ||
+ | | version [http://www.acoolsip.com/development/a-cool-debate.html 1.0.8 released.] | ||
|- | |- | ||
− | + | |style="background:red; color:white" | | |
− | + | ||
− | + | == == | |
− | + | | | |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Scriptegrator Plugin 1.5.5== | |
− | + | |LFI | |
− | + | |140611 | |
+ | | [http://www.greatjoomla.com/news/index.html Update - Core Design Scriptegrator plugin 2.0.9 &] 1.5.6 | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Joomnik Gallery == | |
− | + | |SQLi | |
− | + | | | |
+ | |[http://joomlacode.org/gf/project/joomnik/ developer update to 0.9.1] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | + | == JMS fileseller == | |
− | | | + | |LFI |
− | + | |0611 | |
+ | |[http://joommasters.com/commercial-extensions/components/jms-fileseller.html developer upgrade announcement to v1.1] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == sh404SEF == | |
− | + | |low-level XSS security issue | |
+ | |300511 | ||
+ | |[http://dev.anything-digital.com/Forum/Announcements/11147-sh404SEF-2.2.6-now-available-for-Joomla-1.5/ Dev upgrade statement to 2.2.6] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == JE Story submit == |
− | + | |LFI/RFI | |
+ | | | ||
+ | |[http://joomlaextensions.co.in/extensions/modules/je-content-menu.html?page=shop.product_details&flypage=flypage.tpl&product_id=77&category_id=13&vmcchk=1 developer states Version 1.8] | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == FCKeditor == |
− | | | + | |File Upload Vulnerability |
+ | |230511 | ||
+ | | | ||
|- | |- | ||
− | | style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == KeyCaptcha == |
− | | | + | |ID |
+ | |190511 | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == Ask A Question AddOn v1.1 == |
− | | | + | |SQLi |
+ | |160511 | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Global Flash Gallery == | |
− | + | |flash-gallery.com xss | |
+ | |130511 | ||
+ | |[http://flash-gallery.com/help/joomla-extension/faq/security-update-0.5.0/ dev release 0.5.0 statement] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == com_google == |
− | + | |LFI [http://freejoomlacomponent.appspot.com/ com_google] | |
+ | |080511 | ||
+ | |[http://freejoomlacomponent.appspot.com/securityrelease.html devs update to 1.5.1] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == docman == |
− | | | + | |com-docman Input Validation Error |
+ | |160511 | ||
+ | |[http://forum.joomla.org/viewtopic.php?p=2502904#p2502904 devs resolution statement, report for old version] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Newsletter Subscriber == | |
− | + | |XSS | |
+ | |120511 | ||
+ | |[http://mavrosxristoforos.com/joomla-extensions/free/newsletter-subscriber Deveopler update] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Akeeba == | |
− | + | |akkeba backup and joomlapack | |
+ | |170411 | ||
+ | |[https://www.akeebabackup.com/home/item/1091-akeeba-backup-3-2-7.html dev update to 3.2.7] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | == Facebook Graph Connect == |
− | + | |SID. call home device with user credentials | |
+ | |120411 | ||
+ | |[http://www.sikkimonline.info/security-notice dev update notice] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | |[http:// | + | == booklibrary == |
− | + | |SQLi ordasoft booklibrary | |
+ | |180311 | ||
+ | |[http://ordasoft.com/Book-Library/security-upgrade-instructions-for-book-library.html developer upgrade instructions] | ||
|- | |- | ||
− | | style="background: | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == semantic == |
− | | | + | |com semantic http://www.scms.es/joomla creates hidden admin users |
+ | |150311 | ||
+ | | | ||
|- | |- | ||
− | | | + | | |
− | + | ||
− | | | + | == JOMSOCIAL 2.0.x 2.1.x == |
− | | | + | |SID, open folders |
+ | |120311 | ||
+ | | | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | |[http://www. | + | == flexicontent == |
− | + | |forced 777, malicious files | |
+ | |250311 | ||
+ | |[http://www.flexicontent.org/home/item/192-flexicontent-154-is-finally-out.html devs resolve statement], [http://www.flexicontent.org/downloads/latest-version.html Changelog] | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | == jLabs Google Analytics Counter == |
− | | | + | |jLabs Google Analytics Counter SID |
− | | | + | | |
+ | | | ||
|- | |- | ||
− | | | + | | |
− | | | + | == xcloner == |
− | + | |Unspecified | |
− | + | |260211 | |
+ | |[http://www.xcloner.com/xcloner-news/important-security-upgrade/ dev announcement of security release] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | |[http://www. | + | == smartformer == |
− | + | |RFI | |
+ | |230211 (repeat of 041110) | ||
+ | |[http://www.itoris.com/joomla-form-builder-smartformer.html v2.4.1 security fix for Joomla 1.5.x] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == xmap 1.2.10 == | |
− | + | |Malicious payload in zip | |
− | + | |230211 | |
+ | |[http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice developer resolution notic]e Clean version available from [http://joomlacode.org/gf/project/xmap/frs/ joomlacode] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | + | == Frontend-User-Access 3.4.1 == | |
− | |[http:// | + | |Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI |
− | |style="background: | + | |030211 |
+ | |update to [http://extensions.joomla.org/extensions/access-a-security/frontend-access-control/6874 Frontend-User-Access 3.4.2] | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | |||
+ | == com properties 7134 == | ||
+ | | http://com-property.com/ malicious files in script | ||
+ | | | ||
+ | |[http://joomlacode.org/gf/project/property/frs/?action=FrsReleaseBrowse&frs_package_id=5815 Dev update statement] | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == B2 Portfolio == |
− | | | + | |B2 portfolio 1.0 SQLi pulseextensions.com |
+ | |250111 | ||
+ | | | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | + | ||
− | | | + | == allcinevid == |
− | | | + | |SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 |
+ | |220111 | ||
+ | |[http://www.joomtraders.com/our-blog/allcinevid-1.0-sql-injection.html Developers resolution notice] | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == People Component == |
− | | | + | |People component http://www.ptt-solution.com/vmchk/people-component.html sqli |
+ | |150111 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Jimtawl == |
− | | | + | |Jimtawl LFI |
+ | |251110 | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | + | == Maian Media SILVER == | |
− | + | |Maian Media SQLi | |
+ | |151110 | ||
+ | |Developer states unproven in free edition, paid/SILVER version is being upgraded. [http://www.aretimes.com/index.php?option=com_content&view=category&layout=blog&id=40&Itemid=113 dev article] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | |[http:// | + | == alfurqan == |
− | + | |alfurqan 1.5 sqli | |
+ | |151110 | ||
+ | |developer update [http://forums.islamis4u.com/index.php/topic%2c83.0.html statement] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | |[http:// | + | == ccboard == |
− | + | |[http://extensions.joomla.org/extensions/communication/forum/6823 ccboard XSS and SQLi] | |
+ | |131110 | ||
+ | | on my site at [http://codeclassic.org/component/content/article/1-latest-news/83-ccboard-13-released.html] Please find the respective update information | ||
+ | |||
|- | |- | ||
− | | style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == ProDesk v 1.5 == |
− | | | + | |LFI |
+ | |091110 | ||
+ | | | ||
+ | |||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | |[http:// | + | == sponsorwall == |
− | + | |SQL injection pulseextensions.com | |
+ | |011110 | ||
+ | |developer [http://demo.pulseextensions.com/sponsor-wall.html resolution notice] | ||
|- | |- | ||
− | |style="background:#cef2e0; color:black" | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | | | + | |
− | + | == Flip wall == | |
+ | |SQL injection pulseextensions.com | ||
+ | |011110 | ||
+ | | developer http://demo.pulseextensions.com/flip-wall.html update notice [http://www.example.com link title] | ||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | |
− | |[http:// | + | == Freestyle FAQ 1.5.6 == |
− | + | |http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection | |
+ | | | ||
+ | |[http://freestyle-joomla.com/index.php?announceid=43 new version (1.9.0) is available which fixes] the security issues. | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == iJoomla Magazine 3.0.1 == |
− | | | + | |iJoomla Magazine 3.0.1 RFI |
+ | |090910 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Clantools == |
− | | | + | | |
+ | |http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli | ||
+ | |090910 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == jphone == |
− | + | |jphone LFI | |
+ | |090910 | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | |[http:// | + | == PicSell == |
− | |[http:// | + | |[http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131Picsell LFD, 777] |
− | + | |020910 | |
+ | |new version [http://vm.xmlswf.com/picsell released 150312] version number 11 | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Zoom Portfolio == |
− | | | + | |SID |
+ | |020910 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | |[http://www. | + | == zina == |
− | | | + | |[http://www.pancake.org/zina/ SQL Injection] |
+ | |020910 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" |' | + | |style="background:red; color:white" | |
− | + | ||
− | |[http://www. | + | == Team's == |
− | | | + | |[http://www.joomlamo.com Teams extension] SQL Injection |
+ | |120810 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | |[http:// | + | == Amblog == |
− | | | + | |[http://robitbt.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=8 Amblog] SQLi |
+ | |120810 | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == == |
− | | | + | | |
+ | | | ||
+ | | | ||
|- | |- | ||
− | | | + | | |
− | | | + | == == |
− | | | + | | |
− | | | + | | |
+ | | | ||
|- | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == wmtpic == | ||
+ | |www.webmaster-tips.net various | ||
+ | |010710 | ||
| | | | ||
+ | |||
+ | |||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == Jomtube == | ||
+ | |http://www.jomtube.com/ SID | ||
+ | |220710 | ||
| | | | ||
| | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == Rapid Recipe == | ||
+ | |http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 | ||
+ | |july 10,2010 | ||
| | | | ||
− | | | + | |- |
+ | |style="background:red; color:white" | | ||
− | -- | + | == Health & Fitness Stats == |
+ | |http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | == staticxt == | ||
+ | |http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided | ||
+ | | | ||
+ | | | ||
− | |||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
− | + | == quickfaq == | |
− | + | |http://www.schlu.net sqli | |
− | + | |090710 | |
− | + | | | |
+ | |- | ||
+ | |style="background:red; color:white" | | ||
− | + | == Minify4Joomla == | |
+ | |http://waltercedric.com/ LFI and xss | ||
+ | |090710 | ||
+ | |No longer available to download | ||
+ | |- | ||
+ | |style="background:#cef2e0; color:black" | | ||
+ | == IXXO Cart == | ||
+ | |http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability | ||
+ | | | ||
+ | |developer resolution [http://support.ixxoglobal.com/index.php?/News/NewsItem/View/22/ixxo-cart-new-release-v41190 notice] | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
− | + | == PaymentsPlus == | |
+ | |http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability | ||
+ | |090710 | ||
+ | |current version 2.20, 2.1.5 not listed on dev site | ||
|- | |- | ||
− | + | |style="background:red; color:white" | | |
− | + | ||
− | + | == ArtForms == | |
− | + | |http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities | |
+ | |090710 | ||
+ | | Old beta extension | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
+ | == autartimonial == | ||
+ | |autartica.be Sqli Vulnerability | ||
+ | |060710 | ||
| | | | ||
− | + | ||
+ | |||
+ | |||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
+ | == eventcal 1.6.4 == | ||
+ | |http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode | ||
+ | |040710 | ||
| | | | ||
− | + | ||
+ | |||
+ | |||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | + | |style="background:red; color:white" | |
− | | | + | |
+ | == date converter == | ||
+ | |http://sourceforge.net/projects/date-converter/ sqli | ||
+ | |010710 | ||
| | | | ||
− | + | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | + | |style="background:red; color:white" | |
− | | | + | |
+ | == real estate == | ||
+ | |http://www.opensourcetechnologies.com/demos/real-estate.html RFI | ||
+ | |210610 | ||
| | | | ||
− | + | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == cinema == |
− | | | + | |SQL injection |
+ | |190610 | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Jreservation == |
− | | | + | |http://jforjoomla.com/ SQLi Vulnerability |
+ | |190610 | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | + | |style="background:red; color:white" | |
− | | | + | |
+ | == joomdocs == | ||
+ | |http://joomclan.com/index.php/JoomDocs/ xss vulnerability | ||
+ | |190610 | ||
| | | | ||
− | + | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
+ | == Live Chat == | ||
+ | |http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities | ||
+ | |190610 | ||
| | | | ||
− | |||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
+ | == Turtushout 0.11 == | ||
+ | | http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) | ||
+ | |190610 | ||
| | | | ||
− | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | SQL Injection | + | == BF Survey Pro Free == |
+ | |BF Survey Pro Free SQL Injection Exploit | ||
+ | |190610 | ||
+ | |Product marker as retired by the developer | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == MisterEstate == | ||
+ | |http://www.misterestate.com/ Blind SQL Injection Exploit | ||
+ | |190610 | ||
| | | | ||
− | |||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | + | == RSMonials == | |
+ | |http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit | ||
+ | |190610 | ||
+ | |Believed to be 1.5.1 version | ||
+ | |||
+ | |||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == Answers v2.3beta == | ||
+ | |Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 | ||
+ | |180610 | ||
| | | | ||
− | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Gallery XML 1.1 == |
− | | | + | |Multiple Vulnerabilities |
+ | http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504 | ||
+ | |180610 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == JFaq 1.2 == |
− | | | + | |JFaq 1.2 Multiple Vulnerabilities |
+ | |180610 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
+ | == Listbingo 1.3 == | ||
+ | |Multiple Vulnerabilities | ||
+ | http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062 | ||
+ | |180610 | ||
| | | | ||
− | + | ||
|- | |- | ||
− | | style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Alpha User Points == |
− | | | + | |www.alphaplug.com LFI |
+ | |180610 | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == recruitmentmanager == |
− | | | + | |http://recruitment.focusdev.co.uk Upload Vulnerability |
+ | |130610 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Info Line (MT_ILine) == |
− | | | + | |http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file |
+ | |120610 | ||
+ | | | ||
+ | |||
+ | |||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == Ads manager Annonce == |
− | | | + | |http://joomla.clubnautiquemarine.fr/ |
+ | Upload Vulnerability | ||
+ | | 05/06/10 | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == lead article == |
− | | | + | |http://www.leadya.co.il/ SQLi |
+ | |050610 | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == djartgallery == |
− | | | + | |http://www.design-joomla.eu Multiple Vul |
+ | |05/06/10 | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Gallery 2 Bridge == |
− | | | + | |[http://trac.4theweb.nl/g2bridge g2bridge] LFI vulnerability |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | + | ||
− | |[http://www. | + | == jsjobs == |
− | | | + | |[http://www.joomsky.com jsjobs] SQL Injection Vulnerability |
+ | | | ||
+ | | | ||
|- | |- | ||
− | | | + | | |
− | | | + | |
− | | | + | == == |
− | | | + | | |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | | | + | == JE Poll == |
− | | | + | |http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability |
+ | | | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == MediQnA == |
− | | | + | |MediQnA LFI vulnerability version : v1.1 |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == JE Job == |
− | | | + | |http://joomlaextensions.co.in/ LFI SQLi |
+ | | | ||
+ | | | ||
+ | |||
|- | |- | ||
− | | | + | | |
− | | | + | |
− | | | + | == == |
− | + | | | |
+ | | | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == SectionEx == |
− | | | + | |Stack Ideas section Ex LFI |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | + | ||
− | |[http:// | + | == ActiveHelper LiveHelp == |
− | | | + | |XSS in [http://extensions.joomla.org/extensions/communication/chat/12492 LiveHelp] |
+ | |200510 | ||
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:#cef2e0; color:black" | |
− | | | + | == JE Quotation Form == |
− | |[http:// | + | |http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI |
− | + | | | |
+ | |developers statement of [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form resolution] '''note''', now known as [http://joomlaextensions.co.in/extensions/joomla-components/product/JE-Quote-Form JE Quote Form] | ||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | + | == konsultasi == | |
− | | | + | |SQL Injection Vulnerability |
− | + | | | |
+ | | | ||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | + | == Seber Cart == | |
− | + | |Local File Disclosure Vulnerability | |
+ | | | ||
+ | |[http://www.sebercart.com/index.php?option=com_content&view=article&id=158 Developer Update 140510] | ||
+ | |||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Camp26 Visitor == |
− | | | + | |RFI www.camp26.biz |
+ | | | ||
+ | | | ||
+ | |||
+ | |||
+ | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == JE Property == |
− | | | + | |JE Property Finder Upload Vulnerability |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background:red; color:white" | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | == Noticeboard == |
− | | | + | |Noticeboard for Joomla "controller" Local File Inclusion Vulnerability |
+ | | | ||
+ | | | ||
|- | |- | ||
− | |style="background: | + | |style="background:red; color:white" | |
− | | | + | |
− | | | + | ==SmartSite == |
− | | | + | |SmartSite com_smartsite Local File Inclusion Vulnerability |
+ | | | ||
+ | | | ||
+ | |||
|- | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == htmlcoderhelper graphics == | ||
+ | |htmlcoderhelper graphics v1.0.6 LFI Vulnerability | ||
| | | | ||
| | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == Ultimate Portfolio == | ||
+ | |Ultimate Portfolio Local File Inclusion Vulnerability | ||
| | | | ||
| | | | ||
− | |||
− | = | + | |- |
− | + | |style="background:red; color:white" | | |
+ | == Archery Scores == | ||
+ | | [http://lispeltuut.org/ Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability] | ||
− | = | + | |210410 |
− | + | | | |
+ | |- | ||
+ | |style="background:red; color:white" | | ||
− | + | == ZiMB Manager == | |
− | + | |Joomla Component ZiMB Manager Local File Inclusion Vulnerability | |
+ | |210410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
− | + | == Matamko == | |
+ | |Matamko Local File Inclusion Vulnerability | ||
+ | |210410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
− | + | == Multiple Root == | |
+ | |Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/ | ||
+ | | | ||
+ | | | ||
|- | |- | ||
− | + | |style="background:red; color:white" | | |
− | + | ||
− | + | == Multiple Map == | |
− | + | |Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |
+ | | | ||
+ | | | ||
|- | |- | ||
|style="background:red; color:white" | | |style="background:red; color:white" | | ||
− | == | + | == Contact Us Draw Root Map == |
− | | | + | |Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com |
− | | | + | | |
− | | | + | | |
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | == | + | == iF surfALERT == |
− | | | + | |[http://www.inertialfate.za.net/ iF surfALERT] Local File Inclusion Vulnerability |
+ | | | ||
| | | | ||
− | |||
|- | |- | ||
− | |style="background:red; color:white" | | + | |style="background:red; color:white" | |
− | == | + | == GBU FACEBOOK == |
+ | |GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/ | ||
+ | | | ||
| | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | |||
+ | == jnewspaper == | ||
+ | |jnewspaper (cid) SQL Injection Vulnerability | ||
| | | | ||
| | | | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
|- | |- | ||
− | + | | | |
== == | == == | ||
Line 921: | Line 1,525: | ||
| | | | ||
| | | | ||
− | | | + | |- |
− | + | |style="background:red; color:white" | | |
+ | == MT Fire Eagle == | ||
+ | |||
+ | |LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com | ||
+ | | 190410 | ||
+ | | product considered retired and to be replaced by dev | ||
+ | |||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == Sweetykeeper == | ||
+ | |Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ | ||
+ | |120410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == jvehicles == | ||
+ | |SQL Injection http://jvehicles.com | ||
+ | |120410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == worldrates == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | |120410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == cvmaker == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == advertising == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == horoscope == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | |120410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == webtv == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | |120410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == diary == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | |120410 | ||
+ | | | ||
+ | |||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == Memory Book == | ||
+ | |http://dev.pucit.edu.pk/ | ||
+ | |120410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == JprojectMan == | ||
+ | |LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 | ||
+ | |110410 | ||
+ | | | ||
+ | |||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
+ | |||
+ | == econtentsite == | ||
+ | |LFI | ||
+ | |040410 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
− | + | == Jvehicles == | |
− | + | |ID | |
+ | |040410 | ||
+ | | | ||
+ | |- | ||
+ | | | ||
− | == | + | == == |
− | + | | | |
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
− | + | == gigcalender == | |
− | + | |SQLi [http://extensions.joomla.org/extensions/calendars-a-events/events/97)http://extensions.joomla.org/extensions/calendars-a-events/events/97 gigcalender] | |
+ | |13 march 2010 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white"| | ||
− | + | == heza content == | |
+ | |SQLi [http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427)http://extensions.joomla.org/extensions/structure-a-navigation/sections-a-categories/10427 heza content] | ||
+ | |13 march 2010 | ||
+ | | | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | == SqlReport == | ||
+ | |Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. | ||
+ | |Feb 20 | ||
+ | |'''Not Known''' | ||
+ | |- | ||
+ | |style="background:red; color:white" | | ||
+ | == Yelp == | ||
+ | | SQLi - Unable to locate developer. Possibly a custom extension. | ||
+ | |Feb 01 | ||
+ | |style="background:red; color:white" | ''' Not Known''' | ||
+ | |- | ||
− | + | |- | |
+ | | | ||
− | + | == == | |
+ | | | ||
+ | | | ||
+ | | | ||
+ | |}<endFeed /> | ||
− | + | ''This list is change protected, for updates or additions [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=87230 lafrance] or [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] | |
+ | '' | ||
− | + | == Codes used == | |
− | + | SQLi - SQL injection [http://en.wikipedia.org/wiki/Code_injection#SQL_injection wikipedia] | |
− | + | LFI - Local File Inclusion [http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained scribd] | |
− | + | RFI - Remote file inclusion [http://en.wikipedia.org/wiki/Remote_File_Inclusion wikipedia] | |
+ | DT - Directory Traversal [http://en.wikipedia.org/wiki/Directory_traversal wikipedia] (incl 777 folders) | ||
− | + | ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge | |
− | |||
== Future Actions & WIP == | == Future Actions & WIP == | ||
Line 966: | Line 1,690: | ||
== Notes == | == Notes == | ||
− | The RSS feed is currently | + | The RSS feed is currently fed by item entry order and not by date fixed. |
List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] | List as discussed in [[jtopic:455746]] by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=67439 PhilD] editing by [http://forum.joomla.org/memberlist.php?mode=viewprofile&u=28000 Mandville] | ||
− | |||
− | |||
− | |||
− | |||
---- | ---- | ||
+ | __NOINDEX__ | ||
+ | [[Category:Archived pages]] |
Latest revision as of 17:39, 8 April 2020
This page has been archived. This page contains information for an unsupported Joomla! version or is no longer relevant. It exists only as a historical reference, it will not be improved and its content may be incomplete and/or contain broken links.
This document has now been replaced by the website at vel.joomla.org from 1st May 2013 Please refer to there for the latest updates
List prior to January 2011 (now archived) Please check here also.
Check and Report.[edit]
Please check with the extension publisher in case of any questions over the security of their product.
Report Vulnerable extensions in the vel website
- If you are seeing this page on any site other than the Offical Joomla Documentation you may be seeing an out of date version or experiencing plagiary and the links may not work properly
How to use this list[edit]
Items will be removed after a suitable period and not on resolution.
This document has now been replaced by the website at vel.joomla.org from 1st May 2013 Please refer to there for the latest updates
All known vulnerable extensions are the listed in the first column "Extension". Any in a red box are where we have not been given a fix. Any in a turquoise box contain a link to the notice about an update with link. Any that are in an uncolored box are a "Contact the Developer About This Extension". Alert Advisory details are in the center column. If the "Extension Update Link & Date Column has Not Known then it is where no update is known.
This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link
- We do not list BETA products, or extensions for J1.0.x
Developers - How to get yourself removed from the VEL[edit]
Resolved items will be removed after a suitable period and not on resolution
Please solve the issues and:
- If JED listed
To have your extension republished, please follow these steps:
1- Solve the issues.
2- Attach the new zip file at your actual JED listing.
3- Change the extension version at JED listing.
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.
5-complete the resolution form on the website at vel.joomla.org from 1st May 2013
6- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of your new version number and security notice page
VEL email can be found above and the JED support link is in your notice of "unpublication" and here
- If not JED listed.
Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.
January 2012 and onwards Reported Vulnerable Extensions[edit]
<startFeed />
Extension | Details | Date Added | Extension Update Link & Date |
---|---|---|---|
civic crm 422[edit] |
upload exploit /RFI | 260413 | developer http://civicrm.org/category/civicrm-blog-categories/civicrm-v43 release 4.3.1 |
alfcontact[edit] |
xss | 230413 | developer release statement on ALFContact v2.0.8 for J!2.5 ALFContact v3.1.4 for J!3 |
aiContactSafe 2.0.19[edit] |
xss | 160413 | developer release statement for version 2.0.21 |
RSfiles[edit] |
SQL | 180313 | developer release statement for version 12 |
Multiple Customfields Filter for Virtuemart[edit] |
SQLi | 18212 | developers 1.6.8 update statement |
Collector[edit] |
Various [steevo.fr] | 230113 | developer update statement to 0.5.1 |
tz guestbook[edit] |
Various | 100113 | developer release statement for 1.1.2 |
extplorer[edit] |
2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 are vulnerable to an authentication bypass | 251212 | developer update to 2.1.3 statement |
JooProperty[edit] |
SQLi | 101212 | developer release new version 1.13.1 - upgrade notice |
Multiple Customfields Filter for Virtuemart[edit] |
SQLi | 18212 | developers update statement |
ag google analytic[edit] |
Various | 061212 | |
sh404sef <3.7.0[edit] |
Undisclosed sh404SEF 3.4.x, 3.5.x, 3.6.x for Joomla 2.5 | 26112 | developer statement |
Login Failed Log[edit] |
23112 | ID - information disclosure | developer release statement to ver 1.5.4 |
jNews[edit] |
131112 | developer update statement to version 7.9.1 151112 | |
Joombah Jobs[edit] |
Upload restriction issues | 131112 | developer update statement |
commedia[edit] |
RFI | 231012 | developer update statement to version 3.2 271012 |
Kunena[edit] |
SQLi + ID | 221012 | Developer states current version not exploitable by reported methods |
Icagenda[edit] |
SQLi | Developer statement for 1.2.9 | |
JTag [joomlatag][edit] |
SQLi | ||
Freestyle Support[edit] |
SQLi | developer update statement 251012 | |
ACEFTP[edit] |
DT | 011012 | AceFTP 2.0.0 released. Developer statement 101012 |
MijoFTP[edit] |
DT | 011012 | *reported fixed prior to notification* |
spider calendar lite[edit] |
RFI | 180912 | developer release version 1.5 version |
RokModule[edit] |
SQLi | Rereported 180912 | Developer states: no known exploits for our current versions of RokModule Joomla 2.5 - v1.3 Joomla 1.5 - v1.4 |
ICagenda[edit] |
SQLi | developer security release - v1.2.1 | 080912 |
En Masse cart[edit] |
RFI | 060812 | Developer upgrade statement to 3.1.3 |
JCE (joomla content editor)[edit] |
Upload Restriction <2.2.4 | 050812 | Developer states current version not exploitable |
RSGallery2[edit] |
SQLi XSS | 31 07 12 | Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 released |
osproperty[edit] |
Unrestricted uploads | 160712 | Developer release version 2.0.3 180712 |
KSAdvertiser[edit] |
RFI | 160712 | The security update version 1.5.72 advise can be found here: |
Shipping by State for Virtuemart[edit] |
elevated permissions (http://web-expert.gr/en) | 160612 | Upgrade to v2.5 download commercial product 300612 |
ownbiblio 1.5.3[edit] |
SQLi + | 250512 | |
Ninjaxplorer <=1.0.6[edit] |
developer notification | 250412 | developer statement upgrade to 1.0.7 |
Phoca Fav Icon[edit] |
Permissions Rewrite | 150412 | developer update 2.0.3 statement |
estateagent improved[edit] |
sqli (eaimproved.eu) | 110412 | developer states previous version, not current version |
bearleague[edit] |
110412 | sql | (no longer maintained) |
JLive! Chat v4.3.1[edit] |
DT | 060412 | Developer reports as unproven |
virtuemart 2.0.2[edit] |
SQLi | 050412 | developers release statementCurrent version 2.0.6 released |
JE testimonial[edit] |
SQLi | 230312 | Developer states malicious report. |
JaggyBlog[edit] |
excessive file permission | 090212 | version 1.3.1 released |
Quickl Form[edit] |
xss | 260112 | |
com_advert[edit] |
sqli - unknown developer | 240112 | |
Joomla Discussions Component[edit] |
sqli | 180112 | Discussions 1.4.1 released developer statement |
[edit] |
sqli | 180112 | updated version 2.2 |
Simple File Upload 1.3[edit] |
RFI | 010112 | Developer update statement to 1.3.5 |
[edit] |
<endFeed />
January 2011 - Jan 2012 Reported Vulnerable Extensions[edit]
Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes
- If you are seeing this page on any site other than the Offical Joomla Documentation you may be seeing an out of date version or experiencing plagiary and the links may not work properly
<startFeed />
Extension | Details | Date Added | Extension Update Link & Date | |
---|---|---|---|---|
Simple File Upload 1.3[edit] |
RFI | 010112 | Developer update statement to 1.3.5 | |
Dshop[edit] |
sqli (possibly dhrusya.com) | 201111 | ||
QContacts 1.0.6[edit] |
sqli | 131211 | ||
Jobprofile 1.0[edit] |
SQL Injection Vulnerability | 051211 | ||
JX Finder 2.0.1[edit] |
XSS Vulnerabilities | 011211 | ||
wdbanners[edit] |
Unknown Exploit | 301111 | ||
JB Captify Content J1.5 and J1.7[edit] |
Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip | 141111 | All extensions available on the site have been updated and this potential security issue has been resolved. | |
JB Microblog[edit] |
Security checks missing - J1.7 only. Versions prior to 1.10.3 | 14111 | All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved. | |
JB Slideshow <3.5.1,[edit] |
Security checks missing | 141111 | All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved. | |
JB Bamboobox[edit] |
Security checks missing - J1.5 all versions prior to 1.2.2 | 141111 | All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved. | |
RokModule[edit] |
SQLI - exploits RokStock RokWeather RokNewspager | 121111 | developer release statement RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5 | |
hm community[edit] |
Multiple Vulnerabilities | 011111 | developer release 1.01 | |
Alameda[edit] |
SQLi | 01111 | developer statement and Latest version number v1.0.1. | |
Techfolio 1.0[edit] |
Techfolio 1.0 SQLI | 291011 | ||
Barter Sites 1.3[edit] |
Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities | 291011 | developer release 1.3.1 | |
Jeema SMS 3.2[edit] |
Jeema SMS 3.2 Multiple Vulnerabilities | 291011 | developer resolution notice for 3.5.2 | |
Vik Real Estate 1.0[edit] |
Vik Real Estate 1.0 Multiple Blind SqlI | 291011 | ||
yj contact[edit] |
LFI (youjoomla contact) | 241011 | developer update statement 261011 | |
NoNumber Framework[edit] |
Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview | 181011 | see http://feeds.feedburner.com/nonumber/news for updates of various extensions | |
Time Returns[edit] |
SQLi takeaweb.it | 151011 | No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it | |
Simple File Upload[edit] |
LFI | 300811 | developer advice page | |
Jumi[edit] |
LFI | 300811 | Developer states proper use of joomla administration/extension documentation reading | |
Joomla content editor[edit] |
JCE lfi/rfi vulnerability | JCE 2.0.11 and JCE 1.5.7.14 have been released | ||
Google Website Optimizer[edit] |
Numerous vulnerabilities. Website Optimizer, Pearl Group | 290811 | developer update statement to ver. 1.4.0 | |
Almond Classifieds[edit] |
777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) | 260811 | developer resolution notice | |
joomtouch[edit] |
LFI/RFI | 180811 | developers resolution notice 1.0.3 | |
RAXO All-mode PRO[edit] |
Timthumb RFI | 110811 | developer upgrade 1.5.0 statement | |
V-portfolio[edit] |
DT - open folders | 110811 | developer resolution statement | |
obSuggest[edit] |
LFI | 310711 | developer release statement | |
Simple Page[edit] |
LFI | 230711 | developer update statement v1.5.17 has been released | |
JE Story[edit] |
LFI | 230711 | devloper security update notice to ver 1.9 | |
appointment booking pro[edit] |
LFI 22071 | developer update security announcement Current 2.0.1 and 1.4.x versions, are not vulnerable, | ||
acajoom[edit] |
xss (admin permission required) | 220711 | updated to 5.20 | |
gTranslate[edit] |
ID - | 220711 | developer security release 1.5 x.25 and 1.6 x.26. | |
alpharegistration[edit] |
http://www.alphaplug.com/ Please contact the developer for any questions on this extension | 170711 220711 | ||
Jforce[edit] |
DT - | 170711 | developer states The new version number v1.5r1362 resolves the problem | |
Flash Magazine Deluxe Joomla[edit] |
ID multiple vulnerabilities | 170711 | developer release 2.1.4 | |
AVreloaded[edit] |
SQLi - version 1.2.6 | 150711 | 1.2.7 released developer release statement 160711 | |
Sobi[edit] |
SQLI - | 130711 | developer fix and update statement | |
fabrik[edit] |
sqli | 120711 | Developers Update statement 2.1 | |
xmap[edit] |
sqli 1.2.11 | 120711 | upgrade to 1.2.12 | |
Atomic Gallery[edit] |
Creates 777 folders Atomic gallery | 110711 | developer release statement/changelog | |
myApi[edit] |
ID Contains "Call-Home" function. Sends private user information to developer. | 020711 | Developer states Use version 1.3.4.1 | |
mdigg[edit] |
SQL I (not listed in JED) | 020711 | ||
Calc Builder[edit] |
sqli + ID | 180611 | dev security release 0.0.2 | |
Cool Debate[edit] |
Cool Debate 1.03 LFI | version 1.0.8 released. | ||
[edit] |
||||
Scriptegrator Plugin 1.5.5[edit] |
LFI | 140611 | Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6 | |
Joomnik Gallery[edit] |
SQLi | developer update to 0.9.1 | ||
JMS fileseller[edit] |
LFI | 0611 | developer upgrade announcement to v1.1 | |
sh404SEF[edit] |
low-level XSS security issue | 300511 | Dev upgrade statement to 2.2.6 | |
JE Story submit[edit] |
LFI/RFI | developer states Version 1.8 | ||
FCKeditor[edit] |
File Upload Vulnerability | 230511 | ||
KeyCaptcha[edit] |
ID | 190511 | ||
Ask A Question AddOn v1.1[edit] |
SQLi | 160511 | ||
Global Flash Gallery[edit] |
flash-gallery.com xss | 130511 | dev release 0.5.0 statement | |
com_google[edit] |
LFI com_google | 080511 | devs update to 1.5.1 | |
docman[edit] |
com-docman Input Validation Error | 160511 | devs resolution statement, report for old version | |
Newsletter Subscriber[edit] |
XSS | 120511 | Deveopler update | |
Akeeba[edit] |
akkeba backup and joomlapack | 170411 | dev update to 3.2.7 | |
Facebook Graph Connect[edit] |
SID. call home device with user credentials | 120411 | dev update notice | |
booklibrary[edit] |
SQLi ordasoft booklibrary | 180311 | developer upgrade instructions | |
semantic[edit] |
com semantic http://www.scms.es/joomla creates hidden admin users | 150311 | ||
JOMSOCIAL 2.0.x 2.1.x[edit] |
SID, open folders | 120311 | ||
flexicontent[edit] |
forced 777, malicious files | 250311 | devs resolve statement, Changelog | |
jLabs Google Analytics Counter[edit] |
jLabs Google Analytics Counter SID | |||
xcloner[edit] |
Unspecified | 260211 | dev announcement of security release | |
smartformer[edit] |
RFI | 230211 (repeat of 041110) | v2.4.1 security fix for Joomla 1.5.x | |
xmap 1.2.10[edit] |
Malicious payload in zip | 230211 | developer resolution notice Clean version available from joomlacode | |
Frontend-User-Access 3.4.1[edit] |
Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI | 030211 | update to Frontend-User-Access 3.4.2 | |
com properties 7134[edit] |
http://com-property.com/ malicious files in script | Dev update statement | ||
B2 Portfolio[edit] |
B2 portfolio 1.0 SQLi pulseextensions.com | 250111 | ||
allcinevid[edit] |
SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 | 220111 | Developers resolution notice | |
People Component[edit] |
People component http://www.ptt-solution.com/vmchk/people-component.html sqli | 150111 | ||
Jimtawl[edit] |
Jimtawl LFI | 251110 | ||
Maian Media SILVER[edit] |
Maian Media SQLi | 151110 | Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article | |
alfurqan[edit] |
alfurqan 1.5 sqli | 151110 | developer update statement | |
ccboard[edit] |
ccboard XSS and SQLi | 131110 | on my site at [1] Please find the respective update information | |
ProDesk v 1.5[edit] |
LFI | 091110 |
| |
sponsorwall[edit] |
SQL injection pulseextensions.com | 011110 | developer resolution notice | |
Flip wall[edit] |
SQL injection pulseextensions.com | 011110 | developer http://demo.pulseextensions.com/flip-wall.html update notice link title | |
Freestyle FAQ 1.5.6[edit] |
http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection | new version (1.9.0) is available which fixes the security issues. | ||
iJoomla Magazine 3.0.1[edit] |
iJoomla Magazine 3.0.1 RFI | 090910 | ||
Clantools[edit] |
http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli | 090910 | ||
jphone[edit] |
jphone LFI | 090910 | ||
PicSell[edit] |
LFD, 777 | 020910 | new version released 150312 version number 11 | |
Zoom Portfolio[edit] |
SID | 020910 | ||
zina[edit] |
SQL Injection | 020910 | ||
Team's[edit] |
Teams extension SQL Injection | 120810 | ||
Amblog[edit] |
Amblog SQLi | 120810 | ||
[edit] |
||||
[edit] |
||||
wmtpic[edit] |
www.webmaster-tips.net various | 010710 |
| |
Jomtube[edit] |
http://www.jomtube.com/ SID | 220710 | ||
Rapid Recipe[edit] |
http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 | july 10,2010 | ||
Health & Fitness Stats[edit] |
http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 | |||
staticxt[edit] |
http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided |
| ||
quickfaq[edit] |
http://www.schlu.net sqli | 090710 | ||
Minify4Joomla[edit] |
http://waltercedric.com/ LFI and xss | 090710 | No longer available to download | |
IXXO Cart[edit] |
http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability | developer resolution notice | ||
PaymentsPlus[edit] |
http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability | 090710 | current version 2.20, 2.1.5 not listed on dev site | |
ArtForms[edit] |
http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities | 090710 | Old beta extension | |
autartimonial[edit] |
autartica.be Sqli Vulnerability | 060710 |
| |
eventcal 1.6.4[edit] |
http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode | 040710 |
| |
date converter[edit] |
http://sourceforge.net/projects/date-converter/ sqli | 010710 |
| |
real estate[edit] |
http://www.opensourcetechnologies.com/demos/real-estate.html RFI | 210610 |
| |
cinema[edit] |
SQL injection | 190610 | ||
Jreservation[edit] |
http://jforjoomla.com/ SQLi Vulnerability | 190610 | ||
joomdocs[edit] |
http://joomclan.com/index.php/JoomDocs/ xss vulnerability | 190610 | ||
Live Chat[edit] |
http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities | 190610 | ||
Turtushout 0.11[edit] |
http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) | 190610 | ||
BF Survey Pro Free[edit] |
BF Survey Pro Free SQL Injection Exploit | 190610 | Product marker as retired by the developer | |
MisterEstate[edit] |
http://www.misterestate.com/ Blind SQL Injection Exploit | 190610 | ||
RSMonials[edit] |
http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit | 190610 | Believed to be 1.5.1 version
| |
Answers v2.3beta[edit] |
Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 | 180610 | ||
Gallery XML 1.1[edit] |
Multiple Vulnerabilities
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504 |
180610 | ||
JFaq 1.2[edit] |
JFaq 1.2 Multiple Vulnerabilities | 180610 | ||
Listbingo 1.3[edit] |
Multiple Vulnerabilities
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062 |
180610 | ||
Alpha User Points[edit] |
www.alphaplug.com LFI | 180610 | ||
recruitmentmanager[edit] |
http://recruitment.focusdev.co.uk Upload Vulnerability | 130610 | ||
Info Line (MT_ILine)[edit] |
http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file | 120610 |
| |
Ads manager Annonce[edit] |
http://joomla.clubnautiquemarine.fr/
Upload Vulnerability |
05/06/10 | ||
lead article[edit] |
http://www.leadya.co.il/ SQLi | 050610 | ||
djartgallery[edit] |
http://www.design-joomla.eu Multiple Vul | 05/06/10 | ||
Gallery 2 Bridge[edit] |
g2bridge LFI vulnerability | |||
jsjobs[edit] |
jsjobs SQL Injection Vulnerability | |||
[edit] |
||||
JE Poll[edit] |
http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability | |||
MediQnA[edit] |
MediQnA LFI vulnerability version : v1.1 | |||
JE Job[edit] |
http://joomlaextensions.co.in/ LFI SQLi | |||
[edit] |
||||
SectionEx[edit] |
Stack Ideas section Ex LFI | |||
ActiveHelper LiveHelp[edit] |
XSS in LiveHelp | 200510 | ||
JE Quotation Form[edit] |
http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI | developers statement of resolution note, now known as JE Quote Form | ||
konsultasi[edit] |
SQL Injection Vulnerability | |||
Seber Cart[edit] |
Local File Disclosure Vulnerability | Developer Update 140510 | ||
Camp26 Visitor[edit] |
RFI www.camp26.biz |
| ||
JE Property[edit] |
JE Property Finder Upload Vulnerability | |||
Noticeboard[edit] |
Noticeboard for Joomla "controller" Local File Inclusion Vulnerability | |||
SmartSite[edit] |
SmartSite com_smartsite Local File Inclusion Vulnerability | |||
htmlcoderhelper graphics[edit] |
htmlcoderhelper graphics v1.0.6 LFI Vulnerability | |||
Ultimate Portfolio[edit] |
Ultimate Portfolio Local File Inclusion Vulnerability | |||
Archery Scores[edit] |
Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability | 210410 | ||
ZiMB Manager[edit] |
Joomla Component ZiMB Manager Local File Inclusion Vulnerability | 210410 | ||
Matamko[edit] |
Matamko Local File Inclusion Vulnerability | 210410 | ||
Multiple Root[edit] |
Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/ | |||
Multiple Map[edit] |
Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |||
Contact Us Draw Root Map[edit] |
Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |||
iF surfALERT[edit] |
iF surfALERT Local File Inclusion Vulnerability | |||
GBU FACEBOOK[edit] |
GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/ | |||
jnewspaper[edit] |
jnewspaper (cid) SQL Injection Vulnerability |
| ||
[edit] |
||||
MT Fire Eagle[edit] |
LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com | 190410 | product considered retired and to be replaced by dev | |
Sweetykeeper[edit] |
Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ | 120410 | ||
jvehicles[edit] |
SQL Injection http://jvehicles.com | 120410 | ||
worldrates[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
cvmaker[edit] |
http://dev.pucit.edu.pk/ | |||
advertising[edit] |
http://dev.pucit.edu.pk/ | |||
horoscope[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
webtv[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
diary[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
Memory Book[edit] |
http://dev.pucit.edu.pk/ | 120410 | ||
JprojectMan[edit] |
LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 | 110410 | ||
econtentsite[edit] |
LFI | 040410 | ||
Jvehicles[edit] |
ID | 040410 | ||
[edit] |
||||
gigcalender[edit] |
SQLi gigcalender | 13 march 2010 | ||
heza content[edit] |
SQLi heza content | 13 march 2010 |
| |
SqlReport[edit] |
Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. | Feb 20 | Not Known | |
Yelp[edit] |
SQLi - Unable to locate developer. Possibly a custom extension. | Feb 01 | Not Known | |
[edit] |
<endFeed />
This list is change protected, for updates or additions Mandville or lafrance or PhilD
Codes used[edit]
SQLi - SQL injection wikipedia
LFI - Local File Inclusion scribd
RFI - Remote file inclusion wikipedia
DT - Directory Traversal wikipedia (incl 777 folders)
ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge
Future Actions & WIP[edit]
RSS feed completed
to feed VEL direct to twitter
Notes[edit]
The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville