Archived

Vulnerable Extensions List

From Joomla! Documentation

Revision as of 11:15, 7 September 2012 by Mandville (talk | contribs)

This page has been archived. This page contains information for an unsupported Joomla! version or is no longer relevant. It exists only as a historical reference, it will not be improved and its content may be incomplete and/or contain broken links.

List prior to Jnuary 2011 (now archived) Please check here also. Please also check the Extension Investigation List.

Check and Report.[edit]

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions in the security forum clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for additions or updates email vel @ joomla.org

How to use this list[edit]

Items will be removed after a suitable period and not on resolution.

All known vulnerable extensions are the listed in the first column "Extension". Any in a red box are where we have not been given a fix. Any in a turquoise box contain a link to the notice about an update with link. Any that are in an uncolored box are a "Contact the Developer About This Extension". Alert Advisory details are in the center column. If the "Extension Update Link & Date Column has Not Known then it is where no update is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers - How to get yourself removed from the VEL[edit]

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page

6- Email the VEL team with a notice of resolution, the latest version number and a link to the security release statement on your website


VEL email can be found above and the JED support link is in your notice of "unpublication" and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

January 2012 and onwards Reported Vulnerable Extensions[edit]

<startFeed />

Extension Details Date Added Extension Update Link & Date

ICagenda[edit]

SQLi


En Masse cart[edit]

RFI 060812 Developer upgrade statement to 3.1.3

JCE (joomla content editor)[edit]

Upload Restriction <2.2.4 050812 Developer states current version not exploitable

RSGallery2[edit]

SQLi XSS 31 07 12 Devleoper statement versions 3.2.0 for Joomla 2.5 and version 2.3.0 for Joomla 1.5 released

osproperty[edit]

Unrestricted uploads 160712 Developer release version 2.0.3 180712

KSAdvertiser[edit]

RFI 160712 The security update version 1.5.72 advise can be found here:

German English

Shipping by State for Virtuemart[edit]

elevated permissions (http://web-expert.gr/en) 160612 Upgrade to v2.5 download commercial product 300612

ownbiblio 1.5.3[edit]

SQLi + 250512

Ninjaxplorer <=1.0.6[edit]

developer notification 250412 developer statement upgrade to 1.0.7

Phoca Fav Icon[edit]

Permissions Rewrite 150412 developer update 2.0.3 statement

estateagent improved[edit]

sqli (eaimproved.eu) 110412 developer states previous version, not current version

bearleague[edit]

110412 sql (no longer maintained)

JLive! Chat v4.3.1[edit]

DT 060412 Developer reports as unproven

virtuemart 2.0.2[edit]

SQLi 050412 developers release statementCurrent version 2.0.6 released

JE testimonial[edit]

SQLi 230312 Developer states malicious report.

JaggyBlog[edit]

excessive file permission 090212 version 1.3.1 released

Quickl Form[edit]

xss 260112

com_advert[edit]

sqli - unknown developer 240112

Joomla Discussions Component[edit]

sqli 180112 Discussions 1.4.1 released developer statement

HD Video Share (contushdvideoshare)[edit]

sqli 180112 updated version 2.2

Simple File Upload 1.3[edit]

RFI 010112 Developer update statement to 1.3.5

[edit]

<endFeed />

January 2011 - Jan 2012 Reported Vulnerable Extensions[edit]

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes


Extension Details Date Added Extension Update Link & Date

Simple File Upload 1.3[edit]

RFI 010112 Developer update statement to 1.3.5

Dshop[edit]

sqli (possibly dhrusya.com) 201111

QContacts 1.0.6[edit]

sqli 131211

Jobprofile 1.0[edit]

SQL Injection Vulnerability 051211

JX Finder 2.0.1[edit]

XSS Vulnerabilities 011211

wdbanners[edit]

Unknown Exploit 301111

JB Captify Content J1.5 and J1.7[edit]

Security checks missing -Versions prior to JB_mod_captifyContent_J1.5_J1.7_1.0.1.zip 141111 All extensions available on the site have been updated and this potential security issue has been resolved.

JB Microblog[edit]

Security checks missing - J1.7 only. Versions prior to 1.10.3 14111 All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.

JB Slideshow <3.5.1,[edit]

Security checks missing 141111 All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.

JB Bamboobox[edit]

Security checks missing - J1.5 all versions prior to 1.2.2 141111 All extensions available on the [joomlabamboo.com site have been updated] and this potential security issue has been resolved.

RokModule[edit]

SQLI - exploits RokStock RokWeather RokNewspager 121111 developer release statement RokModule v1.3 for Joomla 1.7 RokModule v1.4 for Joomla 1.5

hm community[edit]

Multiple Vulnerabilities 011111 developer release 1.01

Alameda[edit]

SQLi 01111 developer statement and Latest version number v1.0.1.

Techfolio 1.0[edit]

Techfolio 1.0 SQLI 291011

Barter Sites 1.3[edit]

Barter Sites 1.3 SQL Injection & Persistent XSS vulnerabilities 291011 developer release 1.3.1

Jeema SMS 3.2[edit]

Jeema SMS 3.2 Multiple Vulnerabilities 291011 developer resolution notice for 3.5.2

Vik Real Estate 1.0[edit]

Vik Real Estate 1.0 Multiple Blind SqlI 291011

yj contact[edit]

LFI (youjoomla contact) 241011 developer update statement 261011

NoNumber Framework[edit]

Advanced Module Manager * AdminBar Docker * Add to Menu * Articles Anywhere * What? Nothing!* Tooltips* Tabber* Sourcerer* Slider* Timed Styles* Modules Anywhere* Modalizer* ReReplacer* Snippets* DB Replacer* CustoMenu* Content Templater* CDN for Joomla!* Cache Cleaner* Better Preview 181011 see http://feeds.feedburner.com/nonumber/news for updates of various extensions

Time Returns[edit]

SQLi takeaweb.it 151011 No longer developed. New version 2.0.1 for Joomla 1.6/1.7 (old version are no longer supported) http://www.takeaweb.it

Simple File Upload[edit]

LFI 300811 developer advice page

Jumi[edit]

LFI 300811 Developer states proper use of joomla administration/extension documentation reading

Joomla content editor[edit]

JCE lfi/rfi vulnerability JCE 2.0.11 and JCE 1.5.7.14 have been released

Google Website Optimizer[edit]

Numerous vulnerabilities. Website Optimizer, Pearl Group 290811 developer update statement to ver. 1.4.0

Almond Classifieds[edit]

777 Folder settings (all folders it uses are set to 777 including previously 755 locked folders) 260811 developer resolution notice

joomtouch[edit]

LFI/RFI 180811 developers resolution notice 1.0.3

RAXO All-mode PRO[edit]

Timthumb RFI 110811 developer upgrade 1.5.0 statement

V-portfolio[edit]

DT - open folders 110811 developer resolution statement

obSuggest[edit]

LFI 310711 developer release statement

Simple Page[edit]

LFI 230711 developer update statement v1.5.17 has been released

JE Story[edit]

LFI 230711 devloper security update notice to ver 1.9

appointment booking pro[edit]

LFI 22071 developer update security announcement Current 2.0.1 and 1.4.x versions, are not vulnerable,

acajoom[edit]

xss (admin permission required) 220711 updated to 5.20

gTranslate[edit]

ID - 220711 developer security release 1.5 x.25 and 1.6 x.26.

alpharegistration[edit]

http://www.alphaplug.com/ Please contact the developer for any questions on this extension 170711 220711

Jforce[edit]

DT - 170711 developer states The new version number v1.5r1362 resolves the problem

Flash Magazine Deluxe Joomla[edit]

ID multiple vulnerabilities 170711 developer release 2.1.4

AVreloaded[edit]

SQLi - version 1.2.6 150711 1.2.7 released developer release statement 160711

Sobi[edit]

SQLI - 130711 developer fix and update statement

fabrik[edit]

sqli 120711 Developers Update statement 2.1

xmap[edit]

sqli 1.2.11 120711 upgrade to 1.2.12

Atomic Gallery[edit]

Creates 777 folders Atomic gallery 110711 developer release statement/changelog

myApi[edit]

ID Contains "Call-Home" function. Sends private user information to developer. 020711 Developer states Use version 1.3.4.1

mdigg[edit]

SQL I (not listed in JED) 020711

Calc Builder[edit]

sqli + ID 180611 dev security release 0.0.2

Cool Debate[edit]

Cool Debate 1.03 LFI version 1.0.8 released.

[edit]

Scriptegrator Plugin 1.5.5[edit]

LFI 140611 Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6

Joomnik Gallery[edit]

SQLi developer update to 0.9.1

JMS fileseller[edit]

LFI 0611 developer upgrade announcement to v1.1

sh404SEF[edit]

low-level XSS security issue 300511 Dev upgrade statement to 2.2.6

JE Story submit[edit]

LFI/RFI developer states Version 1.8

FCKeditor[edit]

File Upload Vulnerability 230511

KeyCaptcha[edit]

ID 190511

Ask A Question AddOn v1.1[edit]

SQLi 160511

Global Flash Gallery[edit]

flash-gallery.com xss 130511 dev release 0.5.0 statement

com_google[edit]

LFI com_google 080511 devs update to 1.5.1

docman[edit]

com-docman Input Validation Error 160511 devs resolution statement, report for old version

Newsletter Subscriber[edit]

XSS 120511 Deveopler update

Akeeba[edit]

akkeba backup and joomlapack 170411 dev update to 3.2.7

Facebook Graph Connect[edit]

SID. call home device with user credentials 120411 dev update notice

booklibrary[edit]

SQLi ordasoft booklibrary 180311 developer upgrade instructions

semantic[edit]

com semantic http://www.scms.es/joomla creates hidden admin users 150311

JOMSOCIAL 2.0.x 2.1.x[edit]

SID, open folders 120311

flexicontent[edit]

forced 777, malicious files 250311 devs resolve statement, Changelog

jLabs Google Analytics Counter[edit]

jLabs Google Analytics Counter SID

xcloner[edit]

Unspecified 260211 dev announcement of security release

smartformer[edit]

RFI 230211 (repeat of 041110) v2.4.1 security fix for Joomla 1.5.x

xmap 1.2.10[edit]

Malicious payload in zip 230211 developer resolution notice Clean version available from joomlacode

Frontend-User-Access 3.4.1[edit]

Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI 030211 update to Frontend-User-Access 3.4.2

com properties 7134[edit]

http://com-property.com/ malicious files in script Dev update statement

B2 Portfolio[edit]

B2 portfolio 1.0 SQLi pulseextensions.com 250111

allcinevid[edit]

SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 220111 Developers resolution notice

People Component[edit]

People component http://www.ptt-solution.com/vmchk/people-component.html sqli 150111

Jimtawl[edit]

Jimtawl LFI 251110

Maian Media SILVER[edit]

Maian Media SQLi 151110 Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article

alfurqan[edit]

alfurqan 1.5 sqli 151110 developer update statement

ccboard[edit]

ccboard XSS and SQLi 131110 on my site at [1] Please find the respective update information

ProDesk v 1.5[edit]

LFI 091110


sponsorwall[edit]

SQL injection pulseextensions.com 011110 developer resolution notice


Flip wall[edit]

SQL injection pulseextensions.com 011110 developer http://demo.pulseextensions.com/flip-wall.html update notice link title

Freestyle FAQ 1.5.6[edit]

http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 ‎SQL Injection new version (1.9.0) is available which fixes the security issues.

iJoomla Magazine 3.0.1[edit]

iJoomla Magazine 3.0.1 RFI 090910

Clantools[edit]

http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli 090910

jphone[edit]

jphone LFI 090910

PicSell[edit]

LFD, 777 020910 new version released 150312 version number 11

Zoom Portfolio[edit]

SID 020910

zina[edit]

SQL Injection 020910

Team's[edit]

Teams extension SQL Injection 120810

Amblog[edit]

Amblog SQLi 120810

[edit]

[edit]

wmtpic[edit]

www.webmaster-tips.net various 010710


Jomtube[edit]

http://www.jomtube.com/ SID 220710

Rapid Recipe[edit]

http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 july 10,2010

Health & Fitness Stats[edit]

http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010


staticxt[edit]

http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided


quickfaq[edit]

http://www.schlu.net sqli 090710

Minify4Joomla[edit]

http://waltercedric.com/ LFI and xss 090710 No longer available to download

IXXO Cart[edit]

http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability developer resolution notice

PaymentsPlus[edit]

http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability 090710 current version 2.20, 2.1.5 not listed on dev site

ArtForms[edit]

http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities 090710 Old beta extension

autartimonial[edit]

autartica.be Sqli Vulnerability 060710



eventcal 1.6.4[edit]

http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode 040710



date converter[edit]

http://sourceforge.net/projects/date-converter/ sqli 010710


real estate[edit]

http://www.opensourcetechnologies.com/demos/real-estate.html RFI 210610


cinema[edit]

SQL injection 190610

Jreservation[edit]

http://jforjoomla.com/ SQLi Vulnerability 190610

joomdocs[edit]

http://joomclan.com/index.php/JoomDocs/ xss vulnerability 190610

Live Chat[edit]

http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities 190610

Turtushout 0.11[edit]

http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) 190610

BF Survey Pro Free[edit]

BF Survey Pro Free SQL Injection Exploit 190610 Product marker as retired by the developer

MisterEstate[edit]

http://www.misterestate.com/ Blind SQL Injection Exploit 190610

RSMonials[edit]

http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit 190610 Believed to be 1.5.1 version


Answers v2.3beta[edit]

Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 180610

Gallery XML 1.1[edit]

Multiple Vulnerabilities

http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504

180610

JFaq 1.2[edit]

JFaq 1.2 Multiple Vulnerabilities 180610

Listbingo 1.3[edit]

Multiple Vulnerabilities

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062

180610

Alpha User Points[edit]

www.alphaplug.com LFI 180610

recruitmentmanager[edit]

http://recruitment.focusdev.co.uk Upload Vulnerability 130610

Info Line (MT_ILine)[edit]

http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file 120610


Ads manager Annonce[edit]

http://joomla.clubnautiquemarine.fr/

Upload Vulnerability

05/06/10

lead article[edit]

http://www.leadya.co.il/ SQLi 050610

djartgallery[edit]

http://www.design-joomla.eu Multiple Vul 05/06/10

Gallery 2 Bridge[edit]

g2bridge LFI vulnerability

jsjobs[edit]

jsjobs SQL Injection Vulnerability

[edit]

JE Poll[edit]

http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability

MediQnA[edit]

MediQnA LFI vulnerability version : v1.1

JE Job[edit]

http://joomlaextensions.co.in/ LFI SQLi

[edit]

SectionEx[edit]

Stack Ideas section Ex LFI

ActiveHelper LiveHelp[edit]

XSS in LiveHelp 200510

JE Quotation Form[edit]

http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI developers statement of resolution note, now known as JE Quote Form

konsultasi[edit]

SQL Injection Vulnerability

Seber Cart[edit]

Local File Disclosure Vulnerability Developer Update 140510

Camp26 Visitor[edit]

RFI www.camp26.biz


JE Property[edit]

JE Property Finder Upload Vulnerability

Noticeboard[edit]

Noticeboard for Joomla "controller" Local File Inclusion Vulnerability

SmartSite[edit]

SmartSite com_smartsite Local File Inclusion Vulnerability

htmlcoderhelper graphics[edit]

htmlcoderhelper graphics v1.0.6 LFI Vulnerability

Ultimate Portfolio[edit]

Ultimate Portfolio Local File Inclusion Vulnerability

Archery Scores[edit]

Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability 210410

ZiMB Manager[edit]

Joomla Component ZiMB Manager Local File Inclusion Vulnerability 210410

Matamko[edit]

Matamko Local File Inclusion Vulnerability 210410

Multiple Root[edit]

Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/

Multiple Map[edit]

Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

Contact Us Draw Root Map[edit]

Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

iF surfALERT[edit]

iF surfALERT Local File Inclusion Vulnerability

GBU FACEBOOK[edit]

GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/

jnewspaper[edit]

jnewspaper (cid) SQL Injection Vulnerability



[edit]

MT Fire Eagle[edit]

LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com 190410 product considered retired and to be replaced by dev

Sweetykeeper[edit]

Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ 120410

jvehicles[edit]

SQL Injection http://jvehicles.com 120410

worldrates[edit]

http://dev.pucit.edu.pk/ 120410

cvmaker[edit]

http://dev.pucit.edu.pk/

advertising[edit]

http://dev.pucit.edu.pk/

horoscope[edit]

http://dev.pucit.edu.pk/ 120410

webtv[edit]

http://dev.pucit.edu.pk/ 120410

diary[edit]

http://dev.pucit.edu.pk/ 120410

Memory Book[edit]

http://dev.pucit.edu.pk/ 120410

JprojectMan[edit]

LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 110410

econtentsite[edit]

LFI 040410

Jvehicles[edit]

ID 040410

[edit]

gigcalender[edit]

SQLi gigcalender 13 march 2010

heza content[edit]

SQLi heza content 13 march 2010


SqlReport[edit]

Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. Feb 20 Not Known

Yelp[edit]

SQLi - Unable to locate developer. Possibly a custom extension. Feb 01 Not Known

[edit]

<endFeed />

This list is change protected, for updates or additions Mandville or lafrance

Codes used[edit]

SQLi - SQL injection wikipedia

LFI - Local File Inclusion scribd

RFI - Remote file inclusion wikipedia

DT - Directory Traversal wikipedia (incl 777 folders)

ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge

Future Actions & WIP[edit]

RSS feed completed


to feed VEL direct to twitter

Notes[edit]

The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville