725 matches found
[20161205] - PHPMailer Security Advisory
All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.20 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of...
Chronoforms 5.0.13 PHP mailer vulnerability
Chronoforms 5.0.13 and previous versions include PHP Mailer library vulnerable to CVE-2016-10045 Resolution: update to 5.0.14 Update notice: https://www.chronoengine.com/forums/posts/t102804/p363944/phpmailer-library.html...
AcyMailing 5.6.0 PHP Mailer vulnerability
AcyMailing 5.6.0 and previous versions include PHP Mailer library vulnerable to CVE-2016-10033 and CVE-2016-10045 Resolution: update to 5.6.1 Update notice: https://www.acyba.com/68-acymailing-changelog.html...
JMS Support Online module, 2.0.0, XSS (Cross Site Scripting)
JMS Support Online module,2.0.0,XSS Cross Site Scripting...
Chronoforms 5.0.12 PHP mailer vulnerability
Chronoforms 5.0.12 and previous versions include PHP Mailer library vulnerable to CVE-2016-10033 Resolution: update to 5.0.13 Update notice: https://www.chronoengine.com/forums/posts/t102804/p363944/phpmailer-library.html...
[20170402] - Core - XSS Vulnerability
Inadequate filtering leads to XSS in the template manager component...
aWeb Cart Watching System 2.6.0
aWeb Cart Watching System for Virtuemart versions 2.6.0 and previous SQL injection Resolution: update to 2.6.1 Update Notice: http://awebsupport.com/...
DT Register, sql/xss, 3.1.12 / 2.8.18 and previous
DT Register Vulnerable version: 3.1.12 / 2.8.18 and previous sql/xss http://www.dthdevelopment.com/dth-news/dt-register-3.1.13-security-release.html http://www.dthdevelopment.com/joomla-components/dt-register-event-registration-for-joomla.html developer did not inform VEL...
AVChat Video Chat Integration Kit, File permissions
AVChat Video Chat Integration Kit, File permissions...
JS Jobs,1.1.5 and all previous,SQL Injection
JS Jobs,1.1.5 and all previous,SQL Injection Resolution: update to version 1.1.6 Update notice: https://www.joomsky.com/products/js-jobs.htmlfive...
[20161204] - Misc. Security Hardening
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user's ability to make potentially damaging configuration changes. This includes restricting the ability to set...
Kunena,K4.0.0 - K5.0.3,XSS (Cross Site Scripting)
Kunena,K4.0.0 - K5.0.3,XSS Cross Site Scripting Resolution: update to 5.0.4 update notice:https://www.kunena.org/blog/179-kunena-5-0-4-released...
JoomDoc 4.0.3 and previous
JoomDoc 4.0.3 and previous information disclosure resolution: update to 4.0.4 update notice: http://www.artio.net/newsflash/joomdoc-404-release...
[20161201] - Core - Elevated Privileges
Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments...
[20161003] - Core - Account Modifications
Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments...
[20161202] - Core - Shell Upload
Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded...
HDW Player, 3.2.1 and older
HDW Player, 3.2.1 and older including 3.1 and 3.0 Remote code execution Please see https://vel.joomla.org/vel-blog/2033-hdw-player-4-0-0-rce for further information...
[20161002] - Core - Elevated Privileges
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges...
ja-k2- filter-and- search, SQL Injection
ja-k2- filter-and- search, version 1.2.2 and all previous SQL Injection Resolution: update to 1.2.5 Update notice: https://www.joomlart.com/updates/joomla-extensions/important-security-fix-release-ja-k2-filter-component?utmsource=newslettermedium=emailcampaign=k2filtercritical Note that developer...
[20161001] - Core - Account Creation
Inadequate checks allows for users to register on a site when registration has been disabled...
Huge IT Slider,1.0.9,SQL Injection
Huge IT Slider,1.0.9,SQL Injection Resolution: update to 1.1.0 update notice: https://huge-it.com/joomla-extensions-security-notice/...
Huge IT Googlemaps,1.0.9,SQL Injection
Huge IT Googlemaps,1.0.9, Multiple SQL Injection vulnerabilities...
Huge IT Video Gallery,1.1.1,XSS (Cross Site Scripting)
Huge IT Video Gallery,1.1.1,XSS Cross Site Scripting Also versions 1.0.9 and previous have SQL injection vulnerability Resolution: update to version 1.1.3 Update notice: https://huge-it.com/joomla-extensions-security-notice/...
Huge IT Portfolio Gallery 1.0.7 and previous
Huge IT Portfolio Gallery 1.0.7 and previous Security updates connected with CSRF and XSS resolution: update to 1.1.0...
J-BusinessDirectory 4.5.4 and previous
J-BusinessDirectory 4.5.4 and previous sql injection resolution: update to 4.5.5 update notice: http://www.cmsjunkie.com/blog/joomlabusinessdirectory4-5-5release/...
Event Registration Pro,3.2.12 - 3.2.10,SQL Injection
Event Registration Pro,3.2.12 - 3.2.10,SQL Injection resolution: update to 3.2.13 update notice: https://www.joomlashowroom.com/blog/event-registration-pro-3-2-13-released-security-release...
aceftp,unknown version,Other
aceftp abandonware,unknown, Download Permssion Extension not currently under development, probably all versions affected...
nitroslider,1.0.0
nitroslider,1.0.0 open folder permissions update to 1.0.1 update notice: https://www.themechoice.com/joomla-extensions/nitro-layer-slider...
Huge IT Catalog,1.0.6,SQL Injection
Huge IT Catalog,1.0.6 and previous versions ,SQL Injection and XSS vulnerability Resolution: update to 1.0.8 Update notice: https://huge-it.com/joomla-extensions-security-notice/...
K2,2.7.0,XSS (Cross Site Scripting)
K2,2.7.0,XSS Cross Site Scripting resolution: update to 2.7.1 update notice url: https://getk2.org/blog/2571-k2-v271-released Note that the VEL do not agree with the developer's assessment that XSS vulnerability is low priority...
Payplans SQLi
SQL Injection In PayPlans. readybytes developer update notice. http://www.readybytes.net/blog/item/payplans-sql-injection-blog.html Community notified report...
[20160803] - Core - CSRF
Add additional CSRF hardening in comjoomlaupdate...
Universal AJAX Live Search, 5.4.0, Other
Universal AJAX Live Search 5.4.0, Other. Inadequate permissions Developer states: Extension Update Details Folders permissions vulnerability fixed. Resolution: update to versio 5.4.2 UpdateNoticeURL http://universalajaxlivesearch.demo.offlajn.com/index.php/simple-theme/security-update...
SecurityCheck and SecurityCheck Pro Vulnerable Versions: 2.8.9
Stored XSS and SQL Injection in SecurityCheck and SecurityCheck Pro Vulnerable Versions: 2.8.9 possibly below resolution: update to version 2.8.10 update notice: https://securitycheck.protegetuordenador.com/index.php/downloads/securitycheck-j3x...
mod fancy tag cloud,1.017,Other
mod fancy tag cloud comofflajninstaller,1.017,Other resolution: update to version 1.020 update notice: http://fancytagcloud.demo.offlajn.com/index.php/security-update existing users may also need to fix folder permissions, please contact the developer for further information...
Yeeditor, abandonware
Yeeditor from Yeedeen development apparently abandoned, developer's site is infected with malware All versions prior to 1.0.7 contain file upload vulnerability...
[20160801] - Core - ACL Violation
Inadequate ACL checks in comcontent provide potential read access to data which should be access restricted to users with editown level...
[20170406] - Core - ACL Violations
Inadequate filtering of form contents lead allow to overwrite the author of an article...
Komento 2.0.6, xss
We just released Komento 2.0.7 to address a security issue where a remote attacker may be able to launch an xss attack in prior versions of Komento. update notice: https://stackideas.com/blog/important-komento-2-0-7-security-fix...
gmapfp,3.39f,XSS (Cross Site Scripting)
gmapfp,3.39f and previos,XSS Cross Site Scripting Info disclosure, arbitrary fileupload resolution: update to J3.41F update notice:http://gmapfp.org/en/news-of-gmapfp/39-strengthening-of-the-security-component...
[20161203] - Core - Information Disclosure
Inadequate ACL checks in the Beez3 comcontent article layout override enables a user to view restricted content...
User Group FTW For Hikashop,1.1.5,Other
User Group FTW For Hikashop, 1.1.5, Other...
JSN Power Admin,2.3.0,XSS (Cross Site Scripting)
JSN Power Admin,2.3.0, XSS Cross Site Scripting Resolution: update to 2.3.2 Update notice: http://www.joomlashine.com/knowledgeportal/articles/jsn-poweradmin-vulnerability-problem-solved.html Note that previous security release 2.3.1 is still vulnerable, and should be updated...
Spider random articles before 1.5.3
Spider random articles versions before 1.5.3 Resolution: update to 1.5.3 Update notice: https://web-dorado.com/products/joomla-random.html...
Breezing Forms Lite
Breezing Forms Lite before build 912 Information disclosure Resolution: update to latest version Update notice: https://crosstec.org/en/blog/859-breezingforms-medium-security-update.html...
Breezing Forms Full
Breezing Forms Full before build 884 Information disclosure Resolution: update to latest version Update notice: https://crosstec.org/en/blog/859-breezingforms-medium-security-update.html...
Form Maker before 3.6.0
Web Dorado Form Maker versions before 3.6.0 XSS Resolution: update to 3.6.0 Update notice: https://web-dorado.com/products/joomla-form.html...
[20170405] - Core - XSS Vulnerability
Inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component...
[20170408] - Core - Information Disclosure
Multiple files caused full path disclosures on systems with enabled error reporting...
[20160802] - Core - XSS Vulnerability
Inadequate escaping leads to XSS vulnerability in mail component...