Friday, 15 July 2011 22:40

AVreloaded

Rate this item
(0 votes)

List prior to Jnuary 2010 (now archived) Please check here also.

Please also check the Extension Investigation List.

Check and Report.

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions in the security forum clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for additions or updates email vel @ Joomla.org Mandville or lafrance are the main editors

How to use this list

Items will be removed after a suitable period and not on resolution All known vulnerable extensions are the listed in the first column. Any in a red box are where we have not been given a fix for. Alert Advisory details in the centre column . Finally a link to the notice about any update with link or Not Known where none is known.

This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link

  • We do not list BETA products, or extensions for J1.0.x

Developers - How to get yourself removed from the VEL

Resolved items will be removed after a suitable period and not on resolution

Please solve the issues and:

  • If JED listed

To have your extension republished, please follow these steps:

1- Solve the issues.

2- Attach the new zip file at your actual JED listing.

3- Change the extension version at JED listing.

4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.

5- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page

6- Email the VEL team with a notice of resolution, the latest version number and a link to the security release statement on your website


VEL email can be found above and the JED support link is in your notice of "unpublication" and here

  • If not JED listed.

Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.

February 2010 and onwards Reported Vulnerable Extensions

Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes


Extension Details Date Added Extension Update Link & Date

AVreloaded

 SQLi - AllVideos Reloaded is a fork of the famous AllVideos 150711

Sobi

 SQLI - 130711 developer fix and update statement

fabrik

 sqli 120711 Developers Update statement 2.1

xmap

 sqli 1.2.11 120711 upgrade to 1.2.12

Atomic Gallery

 Creates 777 folders Atomic gallery 110711

myApi

 ID Contains "Call-Home" function. Sends private user information to developer. 020711 Developer states Use version 1.3.4.1

mdigg

 SQL I (not listed in JED) 020711

Calc Builder

 sqli + ID 180611 dev security release 0.0.2

Cool Debate

 Cool Debate 1.03 LFI

Scriptegrator Plugin 1.5.5

 LFI 140611 Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6

Joomnik Gallery

 SQLi developer update to 0.9.1

JMS fileseller

 LFI 0611 developer upgrade announcement to v1.1

sh404SEF

 low-level XSS security issue 300511 Dev upgrade statement to 2.2.6

JE Story submit

 LFI/RFI developer states Version 1.8

FCKeditor

 File Upload Vulnerability 230511

KeyCaptcha

 Private report under investigation 190511

Ask A Question AddOn v1.1

 SQLi 160511

Global Flash Gallery

 flash-gallery.com xss 130511 dev release 0.5.0 statement

com_google

 LFI com_google 080511 devs update to 1.5.1

docman

 com-docman Input Validation Error 160511 devs resolution statement, report for old version

Newsletter Subscriber

 XSS 120511 Deveopler update

Akeeba

 akkeba backup and joomlapack 170411 dev update to 3.2.7

Facebook Graph Connect

 SID. call home device with user credentials 120411 dev update notice

booklibrary

 SQLi ordasoft booklibrary 180311 developer upgrade instructions

semantic

 com semantic http://www.scms.es/joomla creates hidden admin users 150311

JOMSOCIAL 2.0.x 2.1.x

 SID, open folders 120311

flexicontent

 forced 777, malicious files 250311 devs resolve statement, Changelog

jLabs Google Analytics Counter

 jLabs Google Analytics Counter SID

xcloner

 Unspecified 260211 dev announcement of security release

smartformer

 RFI 230211 (repeat of 041110) v2.4.1 security fix for Joomla 1.5.x

xmap 1.2.10

 Malicious payload in zip 230211 developer resolution notice Clean version available from joomlacode

Frontend-User-Access 3.4.1

 Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI 030211 update to Frontend-User-Access 3.4.2

com properties 7134

 http://com-property.com/ malicious files in script Dev update statement

B2 Portfolio

 B2 portfolio 1.0 SQLi pulseextensions.com 250111

allcinevid

 SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 220111 Developers resolution notice

People Component

 People component http://www.ptt-solution.com/vmchk/people-component.html sqli 150111

J!Dump v1.1.2

 LFI in J!Dump v1.1.2 and before 060111 The extension is fixed in

version 1.1.3 070111

xmovie 1.0

 xmovie 1.0 LFi 010111 v1.1 is a security release.

Easy File Uploader

 LFI - http://extensions.joomla.org/extensions/core-enhancements/file-management/11909 090111 Fixed MIME type tamper vulnerability http://michaelgilkes.info/joomla-plugin-easy-file-uploader 2011-01-10

akeebabackup admin tools

 xss 181210 http://www.akeebabackup.com/home/item/929-security-release-admin-tools-1-1.html devs update statement

aicontactsafe

 XSS for versions 2.0.13 and below 161210 dev release 2.0.14

JRadio

 JRadio LFI/SID 161210 http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56 developer fix statement

JE Auto

 JE Auto 1.0 SQL I 091210 developers bug fix statement

jxtended comments

 xss 081210 dev notice update to 1.3.1

sh404SEF

 sqlI 301110 dev post of resolution

JE Ajax Event Calendar

 SQL I (relist) 251110 Dev states resolved,

Jimtawl

 Jimtawl LFI 251110

mosets tree

 mosets tree various 181110 dev release 2.1.8 http://forum.mosets.com/showthread.php?t=17064

Maian Media SILVER

 Maian Media SQLi 151110 Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article

alfurqan

 alfurqan 1.5 sqli 151110

ccboard

 ccboard XSS and SQLi 131110

ProDesk v 1.5

 LFI 091110

JQuarks 4 survey 1.0.0

 SQLi 091110 developer statement updated to version 1.0.1 101110

RSform! 1.0.5

 Multiple vulnerabilities - LFI, SQLi 061110 developer announcement of security releaseto 1.0.6 091110

ccinvoices

 SQLi for ccinvoices 051110 Developer Upgrade release to ccInvoices_110RC3 061110

sponsorwall

 SQL injection pulseextensions.com 011110


Flip wall

 SQL injection pulseextensions.com 011110

K2 joomlaworks

 http://getk2.org/ k2 xss version 2.4.1

Mosets Tree 2.1.5

 Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI developer relase statement and change log

Freestyle FAQ 1.5.6

 http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 ‎SQL Injection

JE FAQ Pro

 Je faq pro various reports 090910 Developer update notice

iJoomla Magazine 3.0.1

 iJoomla Magazine 3.0.1 RFI 090910

Clantools

 http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli 090910

jphone

 jphone LFI 090910

Gantry Framework

 SQli injection 050910 Update to 3.0.11

PicSell

 LFD, 777 020910

JE FAQ Pro

 SID 020910 Developer update notice

Zoom Portfolio

 SID 020910

zina

 SQL Injection 020910

Team's

 Teams extension SQL Injection 120810

Amblog

 Amblog SQLi 120810

Graffiti Wall

 Graffiti Wall for jomsocial silent 777 310710 Dev statement 1.1 - is security release. Folder permission was set by default as 777 that is unsecure.

Spielothek

 http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation 290710 Dev states version 1.7.1 resolves issues 020810

Aardvertiser

 http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777 290710 dev announces silent 0777 fixed in Version 2.1 290710

FW Real Estate Light

 http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777 290710 version 1.1 reported as fixed 777 issue

jDownloads

 http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting 2807110 1.7.4 RC3 Build 771 update on Jul 29 to remove 0777

TTVideo

 TTVideo 1.0 Joomla SQL Injection Vulnerability 270710 dev updated the component to prevent this. 280710

Users are no longer able to download the previous version.

frei-chat2.0

 http://code.google.com/p/frei-chat/downloads/list xss vulnerability 230710 Dev announcement to fix 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710

QContacts

 http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 Version: 1.0.4 reported, current version 1.0.6 220710 Devleoper states unproven report and no POC

Jomtube

 http://www.jomtube.com/ SID 220710

mysms

 http://www.willcodejoomlaforfood.de/ Upload Vulnerability july 10,2010 290710 released the version 1.5.12.

Rapid Recipe

 http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 july 10,2010

Health & Fitness Stats

 http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010


staticxt

 http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided

EasyBlog

 http://stackideas.com/products/easyblog.html xss (new report) july 10,2010 developer reported fix available on site

redshop light

 http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli 110710 Developer reported fix and upgrade to RC2

quickfaq

 http://www.schlu.net sqli 090710

Minify4Joomla

 http://waltercedric.com/ LFI and xss 090710 No longer available to download

IXXO Cart

 http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability

Music Manager

 LFI music manager 090710 Version 0.13 released

PaymentsPlus

 http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability 090710 current version 2.20, 2.1.5 not listed on dev site

ArtForms

 http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities 090710 Old beta extension

NeoRecruit

 neojoomla.com SQL Injection neorecruit vers 1.4 060710 dev statement of fix in 1.4.1 and safe 2.0.5

autartimonial

 autartica.be Sqli Vulnerability 060710

Jobs Pro

 instantphp.com/ Sqli 060710 devs announcement of fix 130710

JPodium

 http://www.jpodium.de/ SQL Injection 060710 Devs statement as to not proven

Front-End Article Manager System

 http://b-elektro.no/ Upload Vulnerability 040710 dev states resolved

addressbook

 http://b-elektro.no/ Upload Vulnerability 040710 dev states resolved

NijnaMonials

 http://ninjaforge.com/ Sqli Vulnerability 040710 070410 Discovered to be malicious/false report see devs notice

Phoca Gallery

 SQL I (wrong download location in report) 040710 deemed malicious report

socialads

 techjoomla.com/ Xss Vulnerability 040710 Developers resolved statement

eventcal 1.6.4

 http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode 040710

myblog controller

 LFI

http://www.azrul.com/

 010710 MyBlog 3.0.332

joomanager

 SQli Vulnerability

http://www.joomanager.com

 010710 developer release statement 260311

gamesbox

 SQL Injection Vulnerability

http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox

 010710 upgrade to 1.0.10

wmtpic

 www.webmaster-tips.net various 010710

date converter

 http://sourceforge.net/projects/date-converter/ sqli 010710

Remository

 http://remository.com/ LFI (proc) 010710 Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710

RokBridge 1.0rc12

 http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI 090810 RokBridge has been updated to version 1.0rc13. 120810

real estate

 http://www.opensourcetechnologies.com/demos/real-estate.html RFI 210610

jomsocial

 Version: 1.6.288 Multiple XSS 210610 1.6.291 released 220610

DOCman

 DOCman 1.5.7 DOCman 1.4.0 none specific exploit 210610 developer announcement

eportfolio

 http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability 200610 Developer announcement 270810

cinema

 SQL injection 190610

Jreservation

 http://jforjoomla.com/ SQLi Vulnerability 190610

Super Messenger

 axxis.gr xss 190610 developer release statement 1.4.6

joomdocs

 http://joomclan.com/index.php/JoomDocs/ xss vulnerability 190610

RSComments 1.0.0

 Persistent XSS NOTE: ONLY executes in backend! 190610 Developer update announcement 210610

Live Chat

 http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities 190610

Turtushout 0.11

 http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) 190610

BF Survey Pro Free

 BF Survey Pro Free SQL Injection Exploit 190610

MisterEstate

 http://www.misterestate.com/ Blind SQL Injection Exploit 190610

RSMonials

 http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit 190610 Believed to be 1.5.1 version


RSComments 1.0.0

 RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted) 180610 Developer update announcement 210610

Answers v2.3beta

 Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 180610

Gallery XML 1.1

 Multiple Vulnerabilities

http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504

 180610

JFaq 1.2

 JFaq 1.2 Multiple Vulnerabilities 180610

Listbingo 1.3

 Multiple Vulnerabilities

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062

 180610

PowerMail Pro

 PowerMail Pro Local File Inclusion Vulnerability Dev upadte statement 151010

Alpha User Points

 www.alphaplug.com LFI 180610

Magic Updater

 http://software.realtyna.com/ RFI 170610 [1] developer update statement

recruitmentmanager

 http://recruitment.focusdev.co.uk Upload Vulnerability 130610

Info Line (MT_ILine)

 http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file 120610

Search Log

 http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi 080610 Developer cited update to version 3.1.1 100710

iJoobi

 jtickets, jsubscription SQL Injection Vulnerability,

jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection,

 090610 developer states unproven

Ads manager Annonce

 http://joomla.clubnautiquemarine.fr/

Upload Vulnerability

 05/06/10

lead article

 http://www.leadya.co.il/ SQLi 050610

djartgallery

 http://www.design-joomla.eu Multiple Vul 05/06/10

Gallery 2 Bridge

 g2bridge LFI vulnerability

jsjobs

 jsjobs SQL Injection Vulnerability

JE Poll

 http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability

MyCar

 http://www.unisoft.me/extensions/ sqli ID Dev announcement update to 1.1

MediQnA

 MediQnA LFI vulnerability version : v1.1

JE Job

 http://joomlaextensions.co.in/ LFI SQLi

BF Quiz

 SQL Injection Exploit Version(s) = 1.3.0 Developer update to BF Quiz v1.3.1

Ozio Gallery 2

 DT and open email relay 280510 Developer update and security release 010610

SectionEx

 Stack Ideas section Ex LFI

ActiveHelper LiveHelp

 XSS in LiveHelp 200510

RS Comments

 XSS Vulnerability - fix posted 210510

BCA RSS Feed

 LFI and other vulnerabilities Upgrade to Ninja RSS Syndicator 1.0.9 or later

SimpleDownload

 http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits 160510 updated version (version 0.9.6)

JE Quotation Form

 http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI

konsultasi

 SQL Injection Vulnerability

Aardvertiser

 Local File Inclusion Vulnerability

http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454

 see resolved notice 040810

Seber Cart

 Local File Disclosure Vulnerability Developer Update 140510

FDione Form Wizard

 lfi vulnerability 140510 200510 Update to Dione Form Wizard (v. 1.0.4).

Custom PHP Pages

 http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability Developer declares not vulnerable 140510

Camp26 Visitor

 RFI www.camp26.biz

iJoomla News Portal

 RFI SID Update to 1.5.10

article Factory Manager

 RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html may 2010 can not reproduce and unproven, http://www.thefactory.ro

Table JX Component

 http://www.toolsjx.com/ Table JX Component XSS 060510 - update 130510 Version: 1.5.5 considered unsafe, update to 1.5.7

JE Property

 JE Property Finder Upload Vulnerability

Noticeboard

 Noticeboard for Joomla "controller" Local File Inclusion Vulnerability

SmartSite

 SmartSite com_smartsite Local File Inclusion Vulnerability

ABC

 ABC SQL Injection Vulnerability reported as updated to JED 290410

htmlcoderhelper graphics

 htmlcoderhelper graphics v1.0.6 LFI Vulnerability

Ultimate Portfolio

 Ultimate Portfolio Local File Inclusion Vulnerability

huruhelpdesk

 http://www.huruhelpdesk.net sqli injection Reported fix

Archery Scores

 Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability 210410

ZiMB Manager

 Joomla Component ZiMB Manager Local File Inclusion Vulnerability 210410

Matamko

 Matamko Local File Inclusion Vulnerability 210410

Multiple Root

 Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/

Multiple Map

 Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

Contact Us Draw Root Map

 Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com

iF surfALERT

 iF surfALERT Local File Inclusion Vulnerability

GBU FACEBOOK

 GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/

jnewspaper

 jnewspaper (cid) SQL Injection Vulnerability

JTM Reseller

 TM Reseller SQL injection vulnerability Developer Update

media Mall Factory

 SQLi 200410 Solution: update to 1.0.5

Gadget Factory

 LFi 200410 Solution: update to 1.5.1

Deluxe Blog Factory

 SQLi 200410 update to 1.1.2

MT Fire Eagle

 LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com 190410 product considered retired and to be replaced by dev

com properties

 http://com-property.com/ SQL I developer announced fix

Sweetykeeper

 Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ 120410

jvehicles

 SQL Injection http://jvehicles.com 120410

worldrates

 http://dev.pucit.edu.pk/ 120410

cvmaker

 http://dev.pucit.edu.pk/

advertising

 http://dev.pucit.edu.pk/

horoscope

 http://dev.pucit.edu.pk/ 120410

webtv

 http://dev.pucit.edu.pk/ 120410

diary

 http://dev.pucit.edu.pk/ 120410

Multi-Venue Restaurant Menu Manager (MVRMM)

 http://www.focusdev.co.uk/ 120410 Version 1.5.2 Stable Update 4

Memory Book

 http://dev.pucit.edu.pk/ 120410

TRAVELbook

 http://www.demo-page.de/ 120410 developers resolution notice 1.0.2

AlphaUserPoints

 developer upgrade

JprojectMan

 LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 110410

CKForms

 1.3.4 release - Important LFI security fix [2] 07-04-10 upgrade

econtentsite

 LFI 040410

Jvehicles

 ID 040410

smestorage

 SMEStorage LFI Updated 29 March 10 developer fix to 1.1

JE Tooltip

 JE Tooltip LFI Updated 23 March

Gift Exchange Beta

 Gift exchange SQLi Updated 23 March upgrade beta 1.0.1

RokDownloads

 [LFI] 15 march 2010 upgrade to version 1.0

gigcalender

 SQLi gigcalender 13 march 2010

heza content

 SQLi heza content 13 march 2010

juliaportfolio

 LFI juliaportfolio 13 march 2010 withdrawal and update notice

Flash Magazine Deluxe

 SQL Injection Vulnerability. Feb 25 Developer Update Version 2.0.11 09/03/10

SqlReport

 Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. Feb 20 Not Known

Scriptegrator

 Core Design Scriptegrator RFI exploit Feb 20 Dev Upgrade announcement

AllVideos 3.1

A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]|

 17 Feb Version 3.3 release 18th

RW Cards

 RW Card LFI and ID exploit Dev Site 180210 developer update

Yelp

 SQLi - Unable to locate developer. Possibly a custom extension. Feb 01 Not Known

Autartitarot

 Directory Traversal. Back end access required Feb 05 Please upgrade to version 1.0.4

communitypolls

 LFI - community polls Feb 17 upgrade to version 1.5.3

This list is change protected, for updates or additions Mandville or lafrance

Codes used

SQLi - SQL injection wikipedia

LFI - Local File Inclusion scribd

RFI - Remote file inclusion wikipedia

DT - Directory Traversal wikipedia

ID = Information Disclosure: account information or sensitive information publicly viewable




Future Actions & WIP

RSS feed completed


to feed VEL direct to twitter

Notes

The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville

Retrieved from "http://docs.joomla.org/Vulnerable_Extensions_List"
More in this category: « mdigg Sobi »

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

back to top