Difference between revisions of "Vulnerable Extensions List"

From Joomla! Documentation

m (Archive subpages)
m (Reverted edits by CirTap (talk) to last revision by Mandville)
Line 1: Line 1:
'''Please check here also:'''
'''List prior to Jnuary 2010 ([[Archived vel|now archived]])''' Please check here also.  
Please also check the [[Investigation of exploits|Extension Investigation List]].
Please also check the [[Investigation of exploits|Extension Investigation List]].
== Check and Report.  ==
== Check and Report.  ==
'''Please check with the extension publisher in case of any questions over the security of their product.'''
'''Please check with the extension publisher in case of any questions over the security of their product.'''

Revision as of 07:03, 15 July 2011

Replacement filing cabinet.png
This page has been archived - Please Do Not Edit or Create Pages placed in this namespace. The pages in the Archived namespace exist only as a historical reference, it will not be improved and its content may be incomplete.


List prior to Jnuary 2010 (now archived) Please check here also.

Please also check the Extension Investigation List.

Check and Report.

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions in the security forum clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for additions or updates email vel @ Mandville or lafrance are the main editors

How to use this list

Items will be removed after a suitable period and not on resolution All known vulnerable extensions are the listed in the first column. Any in a red box are where we have not been given a fix for. Alert Advisory details in the centre column . Finally a link to the notice about any update with link or Not Known where none is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers - How to get yourself removed from the VEL

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page

6- Email the VEL team with a notice of resolution, the latest version number and a link to the security release statement on your website

VEL email can be found above and the JED support link is in your notice of "unpublication" and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

February 2010 and onwards Reported Vulnerable Extensions

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes

Extension Details Date Added Extension Update Link & Date


SQLI - 130711 developer fix and update statement


sqli 120711 Developers Update statement 2.1


sqli 1.2.11 120711 upgrade to 1.2.12

Atomic Gallery

Creates 777 folders Atomic gallery 110711


ID Contains "Call-Home" function. Sends private user information to developer. 020711 Developer states Use version


SQL I (not listed in JED) 020711

Calc Builder

sqli + ID 180611 dev security release 0.0.2

Cool Debate

Cool Debate 1.03 LFI

Scriptegrator Plugin 1.5.5

LFI 140611 Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6

Joomnik Gallery

SQLi developer update to 0.9.1

JMS fileseller

LFI 0611 developer upgrade announcement to v1.1


low-level XSS security issue 300511 Dev upgrade statement to 2.2.6

JE Story submit

LFI/RFI developer states Version 1.8


File Upload Vulnerability 230511


Private report under investigation 190511

Ask A Question AddOn v1.1

SQLi 160511

Global Flash Gallery xss 130511 dev release 0.5.0 statement


LFI com_google 080511 devs update to 1.5.1


com-docman Input Validation Error 160511 devs resolution statement, report for old version

Newsletter Subscriber

XSS 120511 Deveopler update


akkeba backup and joomlapack 170411 dev update to 3.2.7

Facebook Graph Connect

SID. call home device with user credentials 120411 dev update notice


SQLi ordasoft booklibrary 180311 developer upgrade instructions


com semantic creates hidden admin users 150311

JOMSOCIAL 2.0.x 2.1.x

SID, open folders 120311


forced 777, malicious files 250311 devs resolve statement, Changelog

jLabs Google Analytics Counter

jLabs Google Analytics Counter SID


Unspecified 260211 dev announcement of security release


RFI 230211 (repeat of 041110) v2.4.1 security fix for Joomla 1.5.x

xmap 1.2.10

Malicious payload in zip 230211 developer resolution notice Clean version available from joomlacode

Frontend-User-Access 3.4.1

Frontend-User-Access 3.4.1 from LFI 030211 update to Frontend-User-Access 3.4.2

com properties 7134 malicious files in script Dev update statement

B2 Portfolio

B2 portfolio 1.0 SQLi 250111


SQLI 220111 Developers resolution notice

People Component

People component sqli 150111

J!Dump v1.1.2

LFI in J!Dump v1.1.2 and before 060111 The extension is fixed in

version 1.1.3 070111

xmovie 1.0

xmovie 1.0 LFi 010111 v1.1 is a security release.

Easy File Uploader

LFI - 090111 Fixed MIME type tamper vulnerability 2011-01-10

akeebabackup admin tools

xss 181210 devs update statement


XSS for versions 2.0.13 and below 161210 dev release 2.0.14


JRadio LFI/SID 161210 developer fix statement

JE Auto

JE Auto 1.0 SQL I 091210 developers bug fix statement

jxtended comments

xss 081210 dev notice update to 1.3.1


sqlI 301110 dev post of resolution

JE Ajax Event Calendar

SQL I (relist) 251110 Dev states resolved,


Jimtawl LFI 251110

mosets tree

mosets tree various 181110 dev release 2.1.8

Maian Media SILVER

Maian Media SQLi 151110 Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article


alfurqan 1.5 sqli 151110


ccboard XSS and SQLi 131110

ProDesk v 1.5

LFI 091110

JQuarks 4 survey 1.0.0

SQLi 091110 developer statement updated to version 1.0.1 101110

RSform! 1.0.5

Multiple vulnerabilities - LFI, SQLi 061110 developer announcement of security releaseto 1.0.6 091110


SQLi for ccinvoices 051110 Developer Upgrade release to ccInvoices_110RC3 061110


SQL injection 011110

Flip wall

SQL injection 011110

K2 joomlaworks k2 xss version 2.4.1

Mosets Tree 2.1.5

Mosets Tree 2.1.5 LFI developer relase statement and change log

Freestyle FAQ 1.5.6 Freestyle FAQ 1.5.6 ‎SQL Injection


Je faq pro various reports 090910 Developer update notice

iJoomla Magazine 3.0.1

iJoomla Magazine 3.0.1 RFI 090910

Clantools clantool sqli 090910


jphone LFI 090910

Gantry Framework

SQli injection 050910 Update to 3.0.11


LFD, 777 020910


SID 020910 Developer update notice

Zoom Portfolio

SID 020910


SQL Injection 020910


Teams extension SQL Injection 120810


Amblog SQLi 120810

Graffiti Wall

Graffiti Wall for jomsocial silent 777 310710 Dev statement 1.1 - is security release. Folder permission was set by default as 777 that is unsecure.

Spielothek silent 0777, unknown folder creation 290710 Dev states version 1.7.1 resolves issues 020810

Aardvertiser silent 0777 290710 dev announces silent 0777 fixed in Version 2.1 290710

FW Real Estate Light silent 777 290710 version 1.1 reported as fixed 777 issue

jDownloads and silent 0777 setting 2807110 1.7.4 RC3 Build 771 update on Jul 29 to remove 0777


TTVideo 1.0 Joomla SQL Injection Vulnerability 270710 dev updated the component to prevent this. 280710

Users are no longer able to download the previous version.

frei-chat2.0 xss vulnerability 230710 Dev announcement to fix 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710

QContacts Version: 1.0.4 reported, current version 1.0.6 220710 Devleoper states unproven report and no POC

Jomtube SID 220710

mysms Upload Vulnerability july 10,2010 290710 released the version 1.5.12.

Rapid Recipe Persistent XSS Vulnerability last known fix version 1.7.2 july 10,2010

Health & Fitness Stats Persistent XSS Vulnerability july 10,2010

staticxt no version number provided

EasyBlog xss (new report) july 10,2010 developer reported fix available on site

redshop light silent 777 and sqli 110710 Developer reported fix and upgrade to RC2

quickfaq sqli 090710

Minify4Joomla LFI and xss 090710 No longer available to download

IXXO Cart SQLi LFI XSS Vulnerability

Music Manager

LFI music manager 090710 Version 0.13 released

PaymentsPlus 2.1.5 Blind SQL Injection Vulnerability 090710 current version 2.20, 2.1.5 not listed on dev site

ArtForms ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities 090710 Old beta extension

NeoRecruit SQL Injection neorecruit vers 1.4 060710 dev statement of fix in 1.4.1 and safe 2.0.5

autartimonial Sqli Vulnerability 060710

Jobs Pro Sqli 060710 devs announcement of fix 130710

JPodium SQL Injection 060710 Devs statement as to not proven

Front-End Article Manager System Upload Vulnerability 040710 dev states resolved

addressbook Upload Vulnerability 040710 dev states resolved

NijnaMonials Sqli Vulnerability 040710 070410 Discovered to be malicious/false report see devs notice

Phoca Gallery

SQL I (wrong download location in report) 040710 deemed malicious report

socialads Xss Vulnerability 040710 Developers resolved statement

eventcal 1.6.4 SQL I last update 2006-12-31 on joomlacode 040710

myblog controller


010710 MyBlog 3.0.332


SQli Vulnerability

010710 developer release statement 260311


SQL Injection Vulnerability

010710 upgrade to 1.0.10

wmtpic various 010710

date converter sqli 010710

Remository LFI (proc) 010710 Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710

RokBridge 1.0rc12 SDI 090810 RokBridge has been updated to version 1.0rc13. 120810

real estate RFI 210610


Version: 1.6.288 Multiple XSS 210610 1.6.291 released 220610


DOCman 1.5.7 DOCman 1.4.0 none specific exploit 210610 developer announcement

eportfolio Upload Vulnerability 200610 Developer announcement 270810


SQL injection 190610

Jreservation SQLi Vulnerability 190610

Super Messenger xss 190610 developer release statement 1.4.6

joomdocs xss vulnerability 190610

RSComments 1.0.0

Persistent XSS NOTE: ONLY executes in backend! 190610 Developer update announcement 210610

Live Chat Multiple Remote Vulnerabilities 190610

Turtushout 0.11 SQL Injection (again) 190610

BF Survey Pro Free

BF Survey Pro Free SQL Injection Exploit 190610

MisterEstate Blind SQL Injection Exploit 190610

RSMonials XSS Exploit 190610 Believed to be 1.5.1 version

RSComments 1.0.0

RS Comments 1.0.0 Multiple XSS Vulnerabilities (relisted) 180610 Developer update announcement 210610

Answers v2.3beta

Multiple Vulnerabilities 180610

Gallery XML 1.1

Multiple Vulnerabilities


JFaq 1.2

JFaq 1.2 Multiple Vulnerabilities 180610

Listbingo 1.3

Multiple Vulnerabilities


PowerMail Pro

PowerMail Pro Local File Inclusion Vulnerability Dev upadte statement 151010

Alpha User Points LFI 180610

Magic Updater RFI 170610 [1] developer update statement

recruitmentmanager Upload Vulnerability 130610

Info Line (MT_ILine) reports of shell scripts in download file 120610

Search Log SQLi 080610 Developer cited update to version 3.1.1 100710


jtickets, jsubscription SQL Injection Vulnerability,

jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection,

090610 developer states unproven

Ads manager Annonce

Upload Vulnerability


lead article SQLi 050610

djartgallery Multiple Vul 05/06/10

Gallery 2 Bridge

g2bridge LFI vulnerability


jsjobs SQL Injection Vulnerability

JE Poll SQL Injection Vulnerability

MyCar sqli ID Dev announcement update to 1.1


MediQnA LFI vulnerability version : v1.1


BF Quiz

SQL Injection Exploit Version(s) = 1.3.0 Developer update to BF Quiz v1.3.1

Ozio Gallery 2

DT and open email relay 280510 Developer update and security release 010610


Stack Ideas section Ex LFI

ActiveHelper LiveHelp

XSS in LiveHelp 200510

RS Comments

XSS Vulnerability - fix posted 210510


LFI and other vulnerabilities Upgrade to Ninja RSS Syndicator 1.0.9 or later

SimpleDownload various exploits 160510 updated version (version 0.9.6)

JE Quotation Form LFI


SQL Injection Vulnerability


Local File Inclusion Vulnerability

see resolved notice 040810

Seber Cart

Local File Disclosure Vulnerability Developer Update 140510

FDione Form Wizard

lfi vulnerability 140510 200510 Update to Dione Form Wizard (v. 1.0.4).

Custom PHP Pages LFI Vulnerability Developer declares not vulnerable 140510

Camp26 Visitor


iJoomla News Portal

RFI SID Update to 1.5.10

article Factory Manager

RFI & Input Validation Error may 2010 can not reproduce and unproven,

Table JX Component Table JX Component XSS 060510 - update 130510 Version: 1.5.5 considered unsafe, update to 1.5.7

JE Property

JE Property Finder Upload Vulnerability


Noticeboard for Joomla "controller" Local File Inclusion Vulnerability


SmartSite com_smartsite Local File Inclusion Vulnerability


ABC SQL Injection Vulnerability reported as updated to JED 290410

htmlcoderhelper graphics

htmlcoderhelper graphics v1.0.6 LFI Vulnerability

Ultimate Portfolio

Ultimate Portfolio Local File Inclusion Vulnerability

huruhelpdesk sqli injection Reported fix

Archery Scores

Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability 210410

ZiMB Manager

Joomla Component ZiMB Manager Local File Inclusion Vulnerability 210410


Matamko Local File Inclusion Vulnerability 210410

Multiple Root

Multiple Root Local File Inclusion Vulnerability

Multiple Map

Multiple Map Local File Inclusion Vulnerability

Contact Us Draw Root Map

Draw Root Map Local File Inclusion Vulnerability

iF surfALERT

iF surfALERT Local File Inclusion Vulnerability


GBU FACEBOOK SQL injection vulnerability


jnewspaper (cid) SQL Injection Vulnerability

JTM Reseller

TM Reseller SQL injection vulnerability Developer Update

media Mall Factory

SQLi 200410 Solution: update to 1.0.5

Gadget Factory

LFi 200410 Solution: update to 1.5.1

Deluxe Blog Factory

SQLi 200410 update to 1.1.2

MT Fire Eagle

LFI 190410 product considered retired and to be replaced by dev

com properties SQL I developer announced fix


Sweetykeeper Local File Inclusion Vulnerability 120410


SQL Injection 120410

worldrates 120410



horoscope 120410

webtv 120410

diary 120410

Multi-Venue Restaurant Menu Manager (MVRMM) 120410 Version 1.5.2 Stable Update 4

Memory Book 120410

TRAVELbook 120410 developers resolution notice 1.0.2


developer upgrade


LFI 110410


1.3.4 release - Important LFI security fix [2] 07-04-10 upgrade


LFI 040410


ID 040410


SMEStorage LFI Updated 29 March 10 developer fix to 1.1

JE Tooltip

JE Tooltip LFI Updated 23 March

Gift Exchange Beta

Gift exchange SQLi Updated 23 March upgrade beta 1.0.1


[LFI] 15 march 2010 upgrade to version 1.0


SQLi gigcalender 13 march 2010

heza content

SQLi heza content 13 march 2010


LFI juliaportfolio 13 march 2010 withdrawal and update notice

Flash Magazine Deluxe

SQL Injection Vulnerability. Feb 25 Developer Update Version 2.0.11 09/03/10


Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. Feb 20 Not Known


Core Design Scriptegrator RFI exploit Feb 20 Dev Upgrade announcement

AllVideos 3.1

A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions.]|

17 Feb Version 3.3 release 18th

RW Cards

RW Card LFI and ID exploit Dev Site 180210 developer update


SQLi - Unable to locate developer. Possibly a custom extension. Feb 01 Not Known


Directory Traversal. Back end access required Feb 05 Please upgrade to version 1.0.4


LFI - community polls Feb 17 upgrade to version 1.5.3

This list is change protected, for updates or additions Mandville or lafrance

Codes used

SQLi - SQL injection wikipedia

LFI - Local File Inclusion scribd

RFI - Remote file inclusion wikipedia

DT - Directory Traversal wikipedia

ID = Information Disclosure: account information or sensitive information publicly viewable

Future Actions & WIP

RSS feed completed

to feed VEL direct to twitter


The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville