Vulnerable Extensions List
From Joomla! Documentation
This page has been archived. This page contains information for an unsupported Joomla! version or is no longer relevant. It exists only as a historical reference, it will not be improved and its content may be incomplete and/or contain broken links.
December 2009 Compiled Reports
|Extension||Details||Reference Link||Extension Update Link|
|Omilen Photo Gallery||Summary: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
|Seminar||Summary: SQL injection vulnerability in the Seminar (com_seminar) component 1.28 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a View_seminar action to index.php.
|Mambo Resident||Summary: Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos Res or com_mosres) component 1.0f for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) property_uid parameter in a viewproperty action to index.php and the (2) regID parameter in a showregion action to index.php. Mambo Resident component for v4.5.2 may only be for 1.0.xx versions of J!
|CVE-2009-4199||Replacement Extension 08 dec 09|
|ProofReader||Summary: Multiple cross-site scripting (XSS) vulnerabilities in index.php in the ProofReader (com_proofreader) component 1.0 RC9 and earlier for Joomla! allow remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in (1) 404 or (2) error pages. Published: 12/02/2009 CVSS Severity: 4.3 (MEDIUM)||CVE-2009-4157||Not Known|
|Laoneo Google Calendar GCalendar||Summary: SQL injection vulnerability in the Google Calendar GCalendar (com_gcalendar) component 1.1.2, 2.1.4, and possibly earlier versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the gcid parameter. NOTE: some of these details are obtained from third party information. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH) Note: There is already a listing for GCalendar 1.1.2||CVE-2009-4099||Not Known|
|D4J eZine||Summary: PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS mosConfig_absolute_path parameter. Published: 11/29/2009 CVSS Severity: 7.5 (HIGH)||CVE-2009-4094||Not Known|
|Quick News||Summary: The Joomla Quick News component suffers from a remote SQL injection vulnerability. added 1st Dec 09||Reference||Not Known|
|Joaktree component||Summary: Joaktree Vulnerability : SQL injection/ added 1st Dec 09||7508||Not Known|
|mojoblog||Summary MojoBlog Multiple Remote File Include Vulnerability added 1st Dec 09||7509||Not Known|
|com_job||Summary: Component com_job ( showMoreUse) SQL injection vulnerability Added 9th Dec||Reference||Not Known|
|JQuarks||Summary: JQuarks SQL injection vulnerability added 8th dec 09||Reference||Developer Update|
|Mamboleto Component 2.0 RC3||Summary: Mamboleto Component 2.0 RC3SQL injection vulnerability added 12 December||Reference||Not Known|
|JS JOBS||Summary JS JOBS Joomla Component com_jsjobs 22.214.171.124 SQL Injection Vulnerabilities added 12 December||Reference||Developer update 126.96.36.199|
|corePHP JPhoto||Summary: 'corePHP' JPhotoSQL injection vulnerability added 12 December||Reference||Developer Upgrade|
|com_virtuemart||Summary: "com_virtuemart" http://virtuemart.net/ Version : 1.0 Vulnerability : SQL injection added Date : 07-12-09||Reference||latest version|
|Kide Shoutbox||Summary: The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not properly perform authentication, which allows remote attackers to post messages with an arbitrary account name via an insertar action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Added: December 08||CVE-2009-4232||Not Known|
|JoomPortfolio Component||Summary: JoomPortfolio Input passed via the "secid" parameter to index.php (when "option" is set to "com_joomportfolio" and "task" is set to "showcat") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.The vulnerability is reported in version 1.0.0. Other versions may also be affected. Added: December 18||Reporting Site||Not Known|
|City Portal (templates?)||Summary: City Portal Blind SQL Injection Vulnerability added: 2009-12-18||Reference Possibly this tempate||Not Known|
|Event Manager||Summary: Event Manager Blind SQL Injection Vulnerability EDB-ID: 10549
|com_zcalendar||Summary: com_zcalendar Blind SQL-injection Vulnerability
EDB-ID: 10548 added: 2009-12-18
|com_acmisc||Summary: com_acmisc SQL injection added: 2009-12-18||Reference||Not Known|
|com_digistore||Summary: com_digistore SQL injection EDB-ID: 10546 added: 2009-12-18||Reference||update|
|com_jbook||Summary: com_jbook Blind SQL-injection EDB-ID: 10545 added: 2009-12-18||Reference||Not Known|
|com_personel||Summary: com_personel component for Joomla! is vulnerable to SQL injection.||iss.net reference||Not Known|