List prior to Jnuary 2010 (now archived) Please check here also.
Please also check the Extension Investigation List.
Check and Report.
Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions in the security forum clearly marked with the first word in the title being Vulnerable where the security moderators or JSST team will respond. This list is change protected, for additions or updates email vel @ Joomla.org Mandville or lafrance are the main editors
- If you are seeing this page on any site other than the Offical Joomla Documentation you may be seeing an out of date version or experiencing plagiary and the links may not work properly
How to use this list
Items will be removed after a suitable period and not on resolution All known vulnerable extensions are the listed in the first column. Any in a red box are where we have not been given a fix for. Alert Advisory details in the centre column . Finally a link to the notice about any update with link or Not Known where none is known.
This list is compiled from found information and may not be an up to date accurate list We do NOT promise to test or validate these reports. We do NOT guarantee the quality or effectiveness of any updates reported to us or listed here. To sign up for the feed please follow this link
- We do not list BETA products, or extensions for J1.0.x
Developers - How to get yourself removed from the VEL
Resolved items will be removed after a suitable period and not on resolution
Please solve the issues and:
- If JED listed
To have your extension republished, please follow these steps:
1- Solve the issues.
2- Attach the new zip file at your actual JED listing.
3- Change the extension version at JED listing.
4- Make sure to include a notice in the JED description to the fact that the new release is a "Security Release" and those who use the extension should upgrade immediately.
5- Create a JED listing owner ticket to the JED with a notice and ask that your listing be republished. Include the full details of yournew version number and security notice page
6- Email the VEL team with a notice of resolution, the latest version number and a link to the security release statement on your website
VEL email can be found above and the JED support link is in your notice of "unpublication" and here
- If not JED listed.
Inform us by email with a notice of resolution, the latest version number and a link to the security release statement on your website.
February 2010 and onwards Reported Vulnerable Extensions
Please check with the extension publisher in case of any questions over the security of their product. Report Vulnerable extensions either in the jforum:432 security topic clearly marked with the first word in the title being Vulnerable Report where the security moderators or JSST team will respond or via email to the VEL team. For a guide to the codes
- If you are seeing this page on any site other than the Offical Joomla Documentation you may be seeing an out of date version or experiencing plagiary and the links may not work properly
Extension | Details | Date Added | Extension Update Link & Date | |
---|---|---|---|---|
Calc Builder |
sqli + ID | 180611 | dev security release 0.0.2 | |
Cool Debate |
Cool Debate 1.03 LFI | |||
|
||||
Scriptegrator Plugin 1.5.5 |
LFI | 140611 | Update - Core Design Scriptegrator plugin 2.0.9 & 1.5.6 | |
Joomnik Gallery |
SQLi | developer update to 0.9.1 | ||
JMS fileseller |
LFI | 0611 | developer upgrade announcement to v1.1 | |
sh404SEF |
low-level XSS security issue | 300511 | Dev upgrade statement to 2.2.6 | |
JE Story submit |
LFI/RFI | developer states Version 1.8 | ||
FCKeditor |
File Upload Vulnerability | 230511 | ||
KeyCaptcha |
Private report under investigation | 190511 | ||
Ask A Question AddOn v1.1 |
SQLi | 160511 | ||
Global Flash Gallery |
flash-gallery.com xss | 130511 | ||
com_google |
LFI com_google | 080511 | devs update to 1.5.1 | |
docman |
com-docman Input Validation Error | 160511 | devs resolution statement, report for old version | |
Newsletter Subscriber |
LFI and RFI | 120511 | ||
Akeeba |
akkeba backup and joomlapack | 170411 | dev update to 3.2.7 | |
Facebook Graph Connect |
SID. call home device with user credentials | 120411 | dev update notice | |
booklibrary |
SQLi ordasoft booklibrary | 180311 | developer upgrade instructions | |
semantic |
com semantic http://www.scms.es/joomla creates hidden admin users | 150311 | ||
JOMSOCIAL 2.0.x 2.1.x |
SID, open folders | 120311 | ||
flexicontent |
forced 777, malicious files | 250311 | devs resolve statement, Changelog | |
jLabs Google Analytics Counter |
jLabs Google Analytics Counter SID | |||
xcloner |
Unspecified | 260211 | dev announcement of security release | |
smartformer |
RFI | 230211 (repeat of 041110) | v2.4.1 security fix for Joomla 1.5.x | |
xmap 1.2.10 |
Malicious payload in zip | 230211 | developer resolution notice Clean version available from joomlacode | |
Frontend-User-Access 3.4.1 |
Frontend-User-Access 3.4.1 from http://www.pages-and-items.com LFI | 030211 | update to Frontend-User-Access 3.4.2 | |
com properties 7134 |
http://com-property.com/ malicious files in script | Dev update statement | ||
B2 Portfolio |
B2 portfolio 1.0 SQLi pulseextensions.com | 250111 | ||
allcinevid |
SQLI http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/15367 | 220111 | Developers resolution notice | |
People Component |
People component http://www.ptt-solution.com/vmchk/people-component.html sqli | 150111 | ||
J!Dump v1.1.2 |
LFI in J!Dump v1.1.2 and before | 060111 | The extension is fixed in
version 1.1.3 070111 |
|
xmovie 1.0 |
xmovie 1.0 LFi | 010111 | v1.1 is a security release. | |
Easy File Uploader |
LFI - http://extensions.joomla.org/extensions/core-enhancements/file-management/11909 | 090111 | Fixed MIME type tamper vulnerability http://michaelgilkes.info/joomla-plugin-easy-file-uploader 2011-01-10 | |
akeebabackup admin tools |
xss | 181210 | http://www.akeebabackup.com/home/item/929-security-release-admin-tools-1-1.html devs update statement | |
aicontactsafe |
XSS for versions 2.0.13 and below | 161210 | dev release 2.0.14 | |
JRadio |
JRadio LFI/SID | 161210 | http://www.fxwebdesign.nl/index.php?option=com_content&view=article&id=20&Itemid=56 developer fix statement | |
JE Auto |
JE Auto 1.0 SQL I | 091210 | developers bug fix statement | |
jxtended comments |
xss | 081210 | dev notice update to 1.3.1 | |
sh404SEF |
sqlI | 301110 | dev post of resolution | |
JE Ajax Event Calendar |
SQL I (relist) | 251110 | Dev states resolved, | |
Jimtawl |
Jimtawl LFI | 251110 | ||
mosets tree |
mosets tree various | 181110 | dev release 2.1.8 http://forum.mosets.com/showthread.php?t=17064 | |
Maian Media SILVER |
Maian Media SQLi | 151110 | Developer states unproven in free edition, paid/SILVER version is being upgraded. dev article | |
alfurqan |
alfurqan 1.5 sqli | 151110 | ||
ccboard |
ccboard XSS and SQLi | 131110 | ||
ProDesk v 1.5 |
LFI | 091110 | ||
JQuarks 4 survey 1.0.0 |
SQLi | 091110 | developer statement updated to version 1.0.1 101110 | |
RSform! 1.0.5 |
Multiple vulnerabilities - LFI, SQLi | 061110 | developer announcement of security releaseto 1.0.6 091110 | |
ccinvoices |
SQLi for ccinvoices | 051110 | Developer Upgrade release to ccInvoices_110RC3 061110 | |
sponsorwall |
SQL injection pulseextensions.com | 011110 | ||
Flip wall |
SQL injection pulseextensions.com | 011110 | ||
K2 joomlaworks |
http://getk2.org/ k2 xss | version 2.4.1 | ||
Mosets Tree 2.1.5 |
Mosets Tree http://www.mosets.com/tree/ 2.1.5 LFI | developer relase statement and change log | ||
Freestyle FAQ 1.5.6 |
http://freestyle-joomla.com/fssdownloads/viewcategory/2 Freestyle FAQ 1.5.6 SQL Injection | |||
JE FAQ Pro |
Je faq pro various reports | 090910 | Developer update notice | |
iJoomla Magazine 3.0.1 |
iJoomla Magazine 3.0.1 RFI | 090910 | ||
Clantools |
http://www.joomla-clantools.de/downloads/doc_download/7-clantools-123.html clantool sqli | 090910 | ||
jphone |
jphone LFI | 090910 | ||
Gantry Framework |
SQli injection | 050910 | Update to 3.0.11 | |
PicSell |
LFD, 777 | 020910 | ||
JE FAQ Pro |
SID | 020910 | Developer update notice | |
Zoom Portfolio |
SID | 020910 | ||
zina |
SQL Injection | 020910 | ||
Team's |
Teams extension SQL Injection | 120810 | ||
Amblog |
Amblog SQLi | 120810 | ||
|
||||
Graffiti Wall |
Graffiti Wall for jomsocial silent 777 | 310710 | Dev statement 1.1 - is security release. Folder permission was set by default as 777 that is unsecure. | |
Spielothek |
http://extensions.joomla.org/extensions/sports-a-games/games/11017 http://www.spielban.de/ silent 0777, unknown folder creation | 290710 | Dev states version 1.7.1 resolves issues 020810 | |
Aardvertiser |
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 silent 0777 | 290710 | dev announces silent 0777 fixed in Version 2.1 290710 | |
FW Real Estate Light |
http://extensions.joomla.org/extensions/vertical-markets/real-estate/13376 http://www.fastw3b.net/fw-real-estate-light.html silent 777 | 290710 | version 1.1 reported as fixed 777 issue | |
|
||||
jDownloads |
http://www.jdownloads.com/ and http://extensions.joomla.org/extensions/directory-a-documentation/downloads/2849 silent 0777 setting | 2807110 | 1.7.4 RC3 Build 771 update on Jul 29 to remove 0777 | |
TTVideo |
TTVideo 1.0 Joomla SQL Injection Vulnerability | 270710 | dev updated the component to prevent this. 280710
Users are no longer able to download the previous version. |
|
frei-chat2.0 |
http://code.google.com/p/frei-chat/downloads/list xss vulnerability | 230710 | Dev announcement to fix 2.1.2 for FreiChat [Those having CB installed]AND 1.2.2 for FreiChatPure [Extension Independent] 240710 | |
QContacts |
http://extensions.joomla.org/extensions/contacts-and-feedback/contact-details/4811 Version: 1.0.4 reported, current version 1.0.6 | 220710 | Devleoper states unproven report and no POC | |
Jomtube |
http://www.jomtube.com/ SID | 220710 | ||
mysms |
http://www.willcodejoomlaforfood.de/ Upload Vulnerability | july 10,2010 | 290710 released the version 1.5.12. | |
Rapid Recipe |
http://www.rapid-source.com Persistent XSS Vulnerability last known fix version 1.7.2 | july 10,2010 | ||
Health & Fitness Stats |
http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Persistent XSS Vulnerability july 10,2010 | |||
staticxt |
http://extensions.joomla.org/extensions/edition/custom-code-in-content/2184 no version number provided | |||
EasyBlog |
http://stackideas.com/products/easyblog.html xss (new report) july 10,2010 | developer reported fix available on site | ||
redshop light |
http://redcomponent.com/redshop http://extensions.joomla.org/extensions/e-commerce/shopping-cart/13184 silent 777 and sqli | 110710 | Developer reported fix and upgrade to RC2 | |
quickfaq |
http://www.schlu.net sqli | 090710 | ||
Minify4Joomla |
http://waltercedric.com/ LFI and xss | 090710 | No longer available to download | |
IXXO Cart |
http://www.php-shop-system.com/ SQLi LFI XSS Vulnerability | |||
Music Manager |
LFI music manager | 090710 | Version 0.13 released | |
PaymentsPlus |
http://paymentsplus.com.au/ 2.1.5 Blind SQL Injection Vulnerability | 090710 | current version 2.20, 2.1.5 not listed on dev site | |
ArtForms |
http://joomlacode.org/gf/project/jartforms/ ArtForms 2.1b7.2 RC2 Multiple Remote Vulnerabilities | 090710 | Old beta extension | |
NeoRecruit |
neojoomla.com SQL Injection | neorecruit vers 1.4 060710 | dev statement of fix in 1.4.1 and safe 2.0.5 | |
autartimonial |
autartica.be Sqli Vulnerability | 060710 | ||
Jobs Pro |
instantphp.com/ Sqli | 060710 | devs announcement of fix 130710 | |
JPodium |
http://www.jpodium.de/ SQL Injection | 060710 | Devs statement as to not proven | |
Front-End Article Manager System |
http://b-elektro.no/ Upload Vulnerability | 040710 | dev states resolved | |
addressbook |
http://b-elektro.no/ Upload Vulnerability | 040710 | dev states resolved | |
NijnaMonials |
http://ninjaforge.com/ Sqli Vulnerability | 040710 | 070410 Discovered to be malicious/false report see devs notice | |
Phoca Gallery |
SQL I (wrong download location in report) | 040710 | deemed malicious report | |
socialads |
techjoomla.com/ Xss Vulnerability | 040710 | Developers resolved statement | |
eventcal 1.6.4 |
http://joomlacode.org/gf/project/eventcal/frs/ SQL I last update 2006-12-31 on joomlacode | 040710 | ||
myblog controller |
LFI | 010710 | MyBlog 3.0.332 | |
joomanager |
SQli Vulnerability | 010710 | developer release statement 260311 | |
gamesbox |
SQL Injection Vulnerability
http://www.jooforge.com/en/download/commercial/extensions/39-gamesbox |
010710 | upgrade to 1.0.10 | |
wmtpic |
www.webmaster-tips.net various | 010710 | ||
date converter |
http://sourceforge.net/projects/date-converter/ sqli | 010710 | ||
Remository |
http://remository.com/ LFI (proc) | 010710 | Developer states not proven and possibly malicious. Unable to reproduce without proc/environ security. 260710 | |
RokBridge 1.0rc12 |
http://extensions.joomla.org/extensions/communication/forum-bridges/9012 SDI | 090810 | RokBridge has been updated to version 1.0rc13. 120810 | |
real estate |
http://www.opensourcetechnologies.com/demos/real-estate.html RFI | 210610 | ||
jomsocial |
Version: 1.6.288 Multiple XSS | 210610 | 1.6.291 released 220610 | |
DOCman |
DOCman 1.5.7 DOCman 1.4.0 none specific exploit | 210610 | developer announcement | |
eportfolio |
http://www.joomplace.com/e-portfolio/e-portfolio-description.html Upload Vulnerability | 200610 | Developer announcement 270810 | |
cinema |
SQL injection | 190610 | ||
Jreservation |
http://jforjoomla.com/ SQLi Vulnerability | 190610 | ||
Super Messenger |
axxis.gr xss | 190610 | developer release statement 1.4.6 | |
joomdocs |
http://joomclan.com/index.php/JoomDocs/ xss vulnerability | 190610 | ||
RSComments 1.0.0 |
Persistent XSS NOTE: ONLY executes in backend! | 190610 | Developer update announcement 210610 | |
Live Chat |
http://www.joompolitan.com/livechat.html Multiple Remote Vulnerabilities | 190610 | ||
Turtushout 0.11 |
http://www.turtus.org.ua/files?func=fileinfo&id=13 SQL Injection (again) | 190610 | ||
BF Survey Pro Free |
BF Survey Pro Free SQL Injection Exploit | 190610 | ||
MisterEstate |
http://www.misterestate.com/ Blind SQL Injection Exploit | 190610 | ||
RSMonials |
http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component XSS Exploit | 190610 | Believed to be 1.5.1 version | |
RSComments 1.0.0 |
RS Comments 1.0.0 Multiple XSS Vulnerabilities http://www.rsjoomla.com (relisted) | 180610 | Developer update announcement 210610 | |
Answers v2.3beta |
Multiple Vulnerabilities http://extensions.joomla.org/extensions/communication/forum/12652 | 180610 | ||
Gallery XML 1.1 |
Multiple Vulnerabilities
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504 |
180610 | ||
JFaq 1.2 |
JFaq 1.2 Multiple Vulnerabilities | 180610 | ||
Listbingo 1.3 |
Multiple Vulnerabilities
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/12062 |
180610 | ||
PowerMail Pro |
PowerMail Pro Local File Inclusion Vulnerability | Dev upadte statement 151010 | ||
Alpha User Points |
www.alphaplug.com LFI | 180610 | ||
Magic Updater |
http://software.realtyna.com/ RFI | 170610 | [1] developer update statement | |
recruitmentmanager |
http://recruitment.focusdev.co.uk Upload Vulnerability | 130610 | ||
Info Line (MT_ILine) |
http://extensions.joomla.org/extensions/news-display/news-tickers-a-scrollers/8425 reports of shell scripts in download file | 120610 | ||
Search Log |
http://www.kanich.net/radio/site/searchlog/searchlog-download SQLi | 080610 | Developer cited update to version 3.1.1 100710 | |
iJoobi |
jtickets, jsubscription SQL Injection Vulnerability,
jstore SQL Injection Vulnerability, jnewsletter SQL Injection, jmarket SQL Injection Vulnerability, jcommunity SQL Injection, jsubscription SQL Injection, |
090610 | developer states unproven | |
Ads manager Annonce |
http://joomla.clubnautiquemarine.fr/
Upload Vulnerability |
05/06/10 | ||
lead article |
http://www.leadya.co.il/ SQLi | 050610 | ||
djartgallery |
http://www.design-joomla.eu Multiple Vul | 05/06/10 | ||
Gallery 2 Bridge |
g2bridge LFI vulnerability | |||
jsjobs |
jsjobs SQL Injection Vulnerability | |||
|
||||
JE Poll |
http://slideshow.joomlaextensions.co.in/ SQL Injection Vulnerability | |||
MyCar |
http://www.unisoft.me/extensions/ sqli ID | Dev announcement update to 1.1 | ||
MediQnA |
MediQnA LFI vulnerability version : v1.1 | |||
JE Job |
http://joomlaextensions.co.in/ LFI SQLi | |||
BF Quiz |
SQL Injection Exploit Version(s) = 1.3.0 | Developer update to BF Quiz v1.3.1 | ||
|
||||
Ozio Gallery 2 |
DT and open email relay | 280510 | Developer update and security release 010610 | |
SectionEx |
Stack Ideas section Ex LFI | |||
ActiveHelper LiveHelp |
XSS in LiveHelp | 200510 | ||
RS Comments |
XSS Vulnerability | - fix posted 210510 | ||
BCA RSS Feed |
LFI and other vulnerabilities | Upgrade to Ninja RSS Syndicator 1.0.9 or later | ||
SimpleDownload |
http://extensions.joomla.org/extensions/directory-a-documentation/downloads/10717 various exploits | 160510 | updated version (version 0.9.6) | |
JE Quotation Form |
http://joomlaextensions.co.in/free-download/doc_download/11-je-quotation-form.html LFI | |||
konsultasi |
SQL Injection Vulnerability | |||
Aardvertiser |
Local File Inclusion Vulnerability
http://extensions.joomla.org/extensions/ads-a-affiliates/classified-ads/9454 |
see resolved notice 040810 | ||
Seber Cart |
Local File Disclosure Vulnerability | Developer Update 140510 | ||
FDione Form Wizard |
lfi vulnerability | 140510 200510 | Update to Dione Form Wizard (v. 1.0.4). | |
Custom PHP Pages |
http://extensions.joomla.org/extensions/edition/custom-code-in-content/5057 LFI Vulnerability | Developer declares not vulnerable 140510 | ||
Camp26 Visitor |
RFI www.camp26.biz | |||
iJoomla News Portal |
RFI SID | Update to 1.5.10 | ||
article Factory Manager |
RFI & Input Validation Error http://www.thefactory.ro/shop/joomla-components/article-manager.html | may 2010 | can not reproduce and unproven, http://www.thefactory.ro | |
Table JX Component |
http://www.toolsjx.com/ Table JX Component XSS | 060510 - update 130510 | Version: 1.5.5 considered unsafe, update to 1.5.7 | |
JE Property |
JE Property Finder Upload Vulnerability | |||
Noticeboard |
Noticeboard for Joomla "controller" Local File Inclusion Vulnerability | |||
SmartSite |
SmartSite com_smartsite Local File Inclusion Vulnerability | |||
ABC |
ABC SQL Injection Vulnerability | reported as updated to JED 290410 | ||
htmlcoderhelper graphics |
htmlcoderhelper graphics v1.0.6 LFI Vulnerability | |||
Ultimate Portfolio |
Ultimate Portfolio Local File Inclusion Vulnerability | |||
huruhelpdesk |
http://www.huruhelpdesk.net sqli injection | Reported fix | ||
Archery Scores |
Archery Scores (com_archeryscores) v1.0.6 LFI Vulnerability | 210410 | ||
ZiMB Manager |
Joomla Component ZiMB Manager Local File Inclusion Vulnerability | 210410 | ||
Matamko |
Matamko Local File Inclusion Vulnerability | 210410 | ||
Multiple Root |
Multiple Root Local File Inclusion Vulnerability http://joomlacomponent.inetlanka.com/ | |||
Multiple Map |
Multiple Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |||
Contact Us Draw Root Map |
Draw Root Map Local File Inclusion Vulnerability joomlacomponent.inetlanka.com | |||
iF surfALERT |
iF surfALERT Local File Inclusion Vulnerability | |||
GBU FACEBOOK |
GBU FACEBOOK SQL injection vulnerability http://www.gbugrafici.nl/gbufacebook/ | |||
jnewspaper |
jnewspaper (cid) SQL Injection Vulnerability | |||
JTM Reseller |
TM Reseller SQL injection vulnerability | Developer Update | ||
media Mall Factory |
SQLi | 200410 | Solution: update to 1.0.5 | |
Gadget Factory |
LFi | 200410 | Solution: update to 1.5.1 | |
Deluxe Blog Factory |
SQLi | 200410 | update to 1.1.2 | |
|
||||
MT Fire Eagle |
LFI http://joomlacode.org/gf/project/jfireeagle/frs/ http://www.moto-treks.com | 190410 | product considered retired and to be replaced by dev | |
com properties |
http://com-property.com/ SQL I | developer announced fix | ||
Sweetykeeper |
Sweetykeeper Local File Inclusion Vulnerability http://www.joomlacorner.com/ | 120410 | ||
jvehicles |
SQL Injection http://jvehicles.com | 120410 | ||
worldrates |
http://dev.pucit.edu.pk/ | 120410 | ||
cvmaker |
http://dev.pucit.edu.pk/ | |||
advertising |
http://dev.pucit.edu.pk/ | |||
horoscope |
http://dev.pucit.edu.pk/ | 120410 | ||
webtv |
http://dev.pucit.edu.pk/ | 120410 | ||
diary |
http://dev.pucit.edu.pk/ | 120410 | ||
Multi-Venue Restaurant Menu Manager (MVRMM) |
http://www.focusdev.co.uk/ | 120410 | Version 1.5.2 Stable Update 4 | |
Memory Book |
http://dev.pucit.edu.pk/ | 120410 | ||
TRAVELbook |
http://www.demo-page.de/ | 120410 | developers resolution notice 1.0.2 | |
AlphaUserPoints |
developer upgrade | |||
JprojectMan |
LFI http://extensions.joomla.org/extensions/communities-a-groupware/project-a-task-management/5676 | 110410 | ||
CKForms |
1.3.4 release - Important LFI security fix [2] | 07-04-10 | upgrade | |
econtentsite |
LFI | 040410 | ||
Jvehicles |
ID | 040410 | ||
|
||||
smestorage |
SMEStorage LFI | Updated 29 March 10 | developer fix to 1.1 | |
JE Tooltip |
JE Tooltip LFI | Updated 23 March | ||
Gift Exchange Beta |
Gift exchange SQLi | Updated 23 March | upgrade beta 1.0.1 | |
RokDownloads |
[LFI] | 15 march 2010 | upgrade to version 1.0 | |
gigcalender |
SQLi gigcalender | 13 march 2010 | ||
heza content |
SQLi heza content | 13 march 2010 | ||
juliaportfolio |
LFI juliaportfolio | 13 march 2010 | withdrawal and update notice | |
Flash Magazine Deluxe |
SQL Injection Vulnerability. | Feb 25 | Developer Update Version 2.0.11 09/03/10 | |
SqlReport |
Sqlreport has a sql/RFI exploit. awaiting confirmation on exact developer. | Feb 20 | Not Known | |
Scriptegrator |
Core Design Scriptegrator RFI exploit | Feb 20 | Dev Upgrade announcement | |
AllVideos 3.1 |
A vulnerability discovered in versions 3.0. and 3.1 of the plugin can be exploited by malicious people to disclose potentially sensitive information. For security reasons we will not be providing further details to safeguard users of affected versions. http://www.joomlaworks.gr/content/view/77/34/]| |
17 Feb | Version 3.3 release 18th | |
RW Cards |
RW Card LFI and ID exploit Dev Site | 180210 | developer update | |
Yelp |
SQLi - Unable to locate developer. Possibly a custom extension. | Feb 01 | Not Known | |
Autartitarot |
Directory Traversal. Back end access required | Feb 05 | Please upgrade to version 1.0.4 | |
communitypolls |
LFI - community polls | Feb 17 | upgrade to version 1.5.3 | |
|
This list is change protected, for updates or additions Mandville or lafrance
Codes used
SQLi - SQL injection wikipedia
LFI - Local File Inclusion scribd
RFI - Remote file inclusion wikipedia
DT - Directory Traversal wikipedia
ID = Information Disclosure: account information or sensitive information publicly viewable
Future Actions & WIP
RSS feed completed
to feed VEL direct to twitter
Notes
The RSS feed is currently fed by item entry order and not by date fixed. List as discussed in jtopic:455746 by PhilD editing by Mandville