[20170701] - Core - Information Disclosure

Improper cache invalidation leads to disclosure of form contents...

EasySocial versions before 1.4.7

EasySocial versions before 1.4.7: Code injection Resolution: update to 1.4.7 Update notice: http://stackideas.com/blog/critical-update-for-easysocial-update-to-1-4-7-now...

Joom Donation, versions before 4.1, Information Disclosure

Joomdonation extensions, Information Disclosure Joom Donation versions before 4.1 Resolution: update to 4.1 Update notice URL: http://joomdonation.com/forum/joom-donation/50513-joom-donation-version-4-1-released.html...

Payment Form, versions before 4.2

Joomdonation extensions, Information Disclosure Payment Form versions before 4.2 Resolution: update to 4.2 Update notice URL: http://joomdonation.com/forum/payment-form/50514-payment-form-version-4-2-released.html...

Eshop, versions before 1.4.4

Joomdonation extensions, Information Disclosure Eshop versions before 1.4.4 Resolution: update to 1.4.4 Update notice URL: http://joomdonation.com/forum/released-versions/50510-eshop-1-4-4-was-released-at-december-25-2015.html73480...

Memberhsip Pro, versions before 2.1.1

Joomdonation extensions, Information Disclosure Memberhsip Pro versions before 2.1.1 Resolution: update to 2.1.1 Update notice URL: http://joomdonation.com/forum/membership-pro/50512-membership-pro-version-2-1-1-released.html...

Events Booking, versions before 2.1.1

Joomdonation extensions, Information Disclosure Events Booking versions before 2.1.1 Resolution: update to 2.1.1 Update notice URL: http://joomdonation.com/forum/events-booking-general-discussion/50511-events-booking-version-2-1-1-released.html...

[20151206] - Core - Session Hardening

The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 Note...

[20151207] - Core - SQL Injection

Inadequate filtering of request data leads to a SQL Injection vulnerability...

[20151205] - Session - Remote Code Execution Vulnerability

Browser information is not filtered properly while saving the session values which leads to a Remote Code Execution vulnerability...

[20151201] - Core - Remote Code Execution Vulnerability

Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability...

Resize Image On The Fly and Cache 1.1.0 and previous

Resize Image On The Fly and Cache - content plugin by s2software.it Version 1.1.0 and likely all previous Open folder permissions Resolution: update to version 1.3.3 Existing users will need to manually fix the permissions of folder /images/cache to 755 or delete it in order to be recreated by th...

[20151203] - Core - Directory Traversal

Failure to properly sanitise input data from the XML install file located within an extension's package archive allows for directory traversal...

[20151202] - Core - CSRF Hardening

Add additional CSRF hardening in comtemplates...

[20151204] - Core - Directory Traversal

Inadequate filtering of request data leads to a Directory Traversal vulnerability...

JNews,8.5.1,SQL Injection

JNews, 8.5.1 and all previous, SQL Injection Resolution: update to 8.7.1 Update notice url: http://www.joobi.co/blog/jnews-8-7-released.html Note that due to discrepancy in developer's code between package and repository, some versions of previous security release 8.6.1 are still vulnerable...

cckseblod 1.x Directory Traversal

comcckseblod aka seblod 1.x for Joomla 1.5 1.9.0 and all previous versions Directory Traversal Resolution: update to 1.9.1 Update notice: http://www.seblod.com/changelogs?sebchangelogproduct=cck1x Developer states that Seblod 3.x, the version compatible with Joomla 2.5 and 3, is not vulnerable...

Realtyna RPL,8.9.2,Other

Realtyna RPL,8.9.2,Other Resolution: update to 8.9.5 Update notice URL http://rpl.realtyna.com/Change-Logs/RPL7-Changelog...

[20151002] - Core - ACL Violations

Inadequate ACL checks in comcontenthistory provide potential read access to data which should be access restricted...

[20151001] - Core - SQL Injection

Inadequate filtering of request data leads to a SQL Injection vulnerability...

Komento, 2.0.4 and previous, XSS (Cross Site Scripting)

Stackideas Komento, prior to 2.0.5, XSS Cross Site Scripting Resolved in version 2.0.5 Update notice: http://stackideas.com/changelog/komento?version=2.0.5...

Extplorer, 2.1.7 and previous

Developer startement eXtplorer 2.1.8 released Today eXtplorer 2.1.8 was released, fixing some minor vulnerabilities. Changelog: - added security functions for protection against CSRF attacks - fixed "directories with the name '0' are not loading" An update is recommended...

Master User, versions before 2.1.4

Versions before 2.1.4 suffered from an issue with insecure default settings, the issue affects Joomla 3.4 sites only, but users are advised by the developer to update anyway. Resolution: Update to version 2.1.4 Update notice URL:...

JEvents, pre 3.2.20

Extension: JEvents from jevents.net Vulnerability: SQL injection Versions affected prior to 3.2.20 Resolution: update to 3.2.20 - JEvents 3.4.0RC6 is also available for Joomla 3.4+ which fixes the same security issue. Update notice URL: https://www.jevents.net/component/zoo/item/jevents-33...

JCE - A Content Editor for Joomla, 2.5.0, 2.5.1, 2.5.2

JCE - A Content Editor for Joomla, vulnerable versions: 2.5.0, 2.5.1, 2.5.2, Vulnerability type: other Resolution: update to version 2.5.3 Update Notice URL https://www.joomlacontenteditor.net/news/item/jce-253-released Developer says that versions prior to 2.5.0 do not appear to be affected, but...

Joomla GoogleSearch (CSE), 3.0.2 and below, any Joomla

Joomla GoogleSearch CSE, 3.0.2 and below, any Joomla, XSS Cross Site Scripting Resolution: update to version 3.0.4 Update Notice: http://www.kksou.com/php-gtk2/joomla-news/important-notice-googlesearch-cse-component.php...

Music Collection, 2.4.6 and below, SQL Injection

Music Collection commuscol, 2.4.6 and below, SQL Injection Fixed in 2.4.10 Notice: http://www.joomlathat.com/news/music-collection/music-collection-2-4-9-released-security-release-2...

[20150908] - Core - XSS Vulnerability

Inadequate escaping leads to XSS vulnerability in login module...

Event Manager, 2.1.4 and below, multiple vulnerabilities

Event Manager, 2.1.4 and below, SQLi and Unrestricted File Upload Fixed in version 2.1.4.2 Notice: http://www.joomlaeventmanager.net/project/changelog-jem-2...

J2Store by Weblogicx India, 3.1.6 and below, SQL Injections

J2Store by Weblogicx India, 3.1.6 and below, SQL Injections Update: vulnerabilites fixed in version 3.1.7 Announcement: http://j2store.org/j2store-v3.html...

Helpdesk Pro by Ossolution Team [com_helpdeskpro], before 1.4.0, multiple vulns

Helpdesk Pro by Ossolution Team comhelpdeskpro, before 1.4.0, multiple vulns Vulnerabilities: Direct Object References Cross-Site Scripting SQL Injection Local file disclosure/Path traversal File Upload Fixed: vulnerability fixed in version 1.4.0 Developer's notice:...

Kunena 4.0.2 xss resolution

This version is a security release and addresses most of the important issues that were discovered in K 4.0.1 Developer update statement http://www.kunena.org/blog/149-kunena-4-0-2-released developer @kunena did not inform VEL...

SimpleImageUpload by Tuts4You, 1.2 and below, Other

SimpleImageUpload by Tuts4You, 1.2, Other...

BT Portfolio,3.0.5 and below,Other

BT Portfolio,3.0.5 and below,Other Resolution: update to 3.0.6 or later Update notice: http://bowthemes.com/bt-portfolio-version-3.0.6.4.6-released.html...

Contus HD Video Share (aka HDVideoShare) by Apptha [com_contushdvideoshare], 3.5 and below, Directory Traversal

Contus HD Video Share by Apptha comcontushdvideoshare, 3.5 and below, Directory Traversal...

Simple Image Gallery PRO, 3.0.7 and below, XSS (Cross Site Scripting)

Simple Image Gallery PRO plgcontentjwsigpro, 3.0.7 and below, XSS Cross Site Scripting...

BK Multithumb for Joomla 1.5, 2.5.0.4, XSS (Cross Site Scripting)

BK-Multithumb for Joomla 1.5, 2.5.0.4, XSS Cross Site Scripting Extension contains known vulnerable version of JS library prettyPhoto The vulnerability in JS file was patched by extension author on basis of 3.1.2 file. Update notice: http://joomla.rjews.net/bk-multithumb...

Responsive Portfolio Wall [mod_repowa], 1.0 and below, XSS (Cross Site Scripting)

Responsive Portfolio Wall modrepowa, 1.0, XSS Cross Site Scripting Extension includes vulnerable version of JS library prettyPhoto Vulnerability fixed in version 1.1 Update notice: http://www.joomlabusiness.net/module/responsive-portfolio-wall...

Zen Library [zen], 1.0.2 and below, XSS (Cross Site Scripting)

Zen Library zen, 1.0.2, XSS Cross Site Scripting...

JB Library [jblibrary], 2.1.5 and below, XSS (Cross Site Scripting)

JB Library, 2.1.5 and below, XSS Cross Site Scripting...

UMI 3D Tag Cloud [mod_umi3dtagcloud], 1.3.4 and below, XSS (Cross Site Scripting)

UMI 3D Tag Cloud modumi3dtagcloud, 1.3.4 and below, XSS Cross Site Scripting...

Art Pretty Photo [artprettyphoto],1.9.21 and below,XSS (Cross Site Scripting)

Art Pretty Photo artprettyphoto, 1.9.21 and below, XSS Cross Site Scripting...

pPGallery [plg_content_ppgallery], 4.315, XSS (Cross Site Scripting)

pPGallery plgcontentppgallery, 4.315, XSS Cross Site Scripting...

Escope PrettyPhoto [mod_escope_pp], 1.0.3, XSS (Cross Site Scripting) - abandonware!

Escope PrettyPhoto modescopepp, 1.0.3 and below, XSS Cross Site Scripting...

StarLite Pretty Photo [plg_system_slprettyphoto],1.2, XSS (Cross Site Scripting)

StarLite Pretty Photo plgsystemslprettyphoto, 1.2 and below, XSS Cross Site Scripting...

AP Portfolio [mod_ap_portfolio], 3.3 and below, XSS (Cross Site Scripting)

AP Portfolio modapportfolio, 3.3.1 and below, XSS Cross Site Scripting Extension includes vulnerable JS library prettyPhoto Vulnerability fixed in version 3.3.2 Update notice:http://aplikko.com/joomla-extensions/ap-portfolio...

BK MultiThumb [multithumb], 3.7.1 and below, XSS (Cross Site Scripting)

BK-MultiThumb, 3.7.1 and below, XSS Cross Site Scripting Extension contains known vulnerable version of JS library prettyPhoto. The vulnerability in JS file was patched by extension author on basis of 3.1.5 file. Update notice: http://joomla.rjews.net/bk-multithumb...

Joombri Freelance, pre 1.6.5, SQLi

JoomBri freelance extension pre 1.6.5. suffers major sqli exploit. No contact from developer, Notified by Ruth Cheesley...

XCloner Backup and Restore [com_cloner], 3.5.2

XCloner Backup and Restore comcloner, 3.5.2, probably previous, multiple vulnerabilities...

BeestoHelpDesk, 3.1.1 and probably all previous,Information Disclosure

BeestoHelpDesk, 3.1.1 and probably all previous,Information Disclosure Resolution: update to version 3.1.2 or 2.5.2 for users of Joomla 2.5.x update notice: http://beesto.com/forum/read.php?25,1963,1963msg-1963...