725 matches found
Saxum Astro, 4.0.14, SQL Injection
Saxum Astro, versions 4.0.14 and previous, SQL Injection...
Saxum Picker, 3.2.10, SQL Injection
Saxum Picker, vesions 3.2.10 and previous, SQL Injection...
Kubik-Rubik Simple Image Gallery Extended (SIGE),3.2.3,XSS (Cross Site Scripting)
Kubik-Rubik Simple Image Gallery Extended SIGE, versions 3.2.3 and previous, XSS Cross Site Scripting resolution: update to 3.2.4 latest release is 3.3.0 update notice: https://joomla-extensions.kubik-rubik.de/sige-simple-image-gallery-extendedchangelog Note that the developer did not inform the ...
Saxum Numerology, 3.0.4, SQL Injection
Saxum Numerology, versions 3.0.4 and previous, SQL Injection...
Smart Shoutbox, 2.9.5, SQL Injection
Smart Shoutbox by thekrotek.com, version 2.9.5 and previous, SQL Injection resolution: update to 3.0.0, version released July 2017 update notice: so far the developer has not made an update notice making clear that this was a security release The developer says "Version 3.0 is an absolutely new...
Timetable Responsive Schedule, 1.6, SQL injection
Timetable Responsive Schedule For Joomla by QuanticaLabs, versions 1.6. and previous, SQL injection Resolution: update to 1.7 update notice: https://codecanyon.net/item/timetable-responsive-schedule-for-joomla/9749539item-descriptionupdates...
Solidres, 2.5.0, SQL Injection
Solidres, 2.5.0 and previous, SQL Injection Resolution: update to 2.5.1 Update notice: https://www.solidres.com/download/show-all-downloads/solidres/solidres-2-5-1...
JSP Store Locator, 2.4, SQL Injection
JSP Store Locator by Joomla Service Provider, versions 2.4 and previous, SQL Injection Resolution: update to 2.5 update notice: http://www.joomlaserviceprovider.com/jspblog/jsp-store-locator-2-5-security-release.html...
JSP Tickets, 1.1, SQL Injection
JSP Tickets from Joomla Service Provider, versions 1.1 and previous, SQL Injection Resolution: update to version 1.2.0 Update notice: http://www.joomlaserviceprovider.com/jspblog/jsp-tickets-1-2-security-release.html...
ZH GoogleMap, 8.4.0.0, SQL Injection
ZH GoogleMap from zhuk.cc, versions 8.4.0.0 and previous, SQL Injection Resolution: update to 8.4.1.0 Update notice: http://zhuk.cc/2018/02/21/zh-googlemap-security-update-2/...
ZH Yandex Map, 6.2.1.0, SQL Injection
ZH Yandex Map from zhuk.cc, versions 6.2.1.0 and previous, SQL Injection Resolution: update to version 6.3.1.0 Update notice: http://zhuk.cc/2018/02/21/zh-yandexmap-security-update-2/...
Zh BaiduMap, 3.0.0.1, SQL Injection
Zh BaiduMap by zhuk.cc, versions 3.0.0.1 and previous, SQL Injection resolution: update to 3.0.1.0 update notice: http://zhuk.cc/2018/02/21/zh-baidumap-security-update/...
JS Jobs, 1.1.9, SQL Injection
JS Jobs by Joomsky, versions 1.1.9 and previous, SQL injection resolution: update to version 1.2.0 update notice: http://www.joomsky.com/products/js-jobs.html...
Jimtawl, 2.2.6, Arbitrary File Upload
Jimtawl from janguo.de, 2.2.6, arbitrary file upload Resolution: update to 2.2.7 Update notice: http://janguo.de/lang-de/joomla-25-higher/jimtawl.html...
ccNewsletter 2.2.3 security release
there is a SQL injection issue in ccNewsletter. I advice everyone using a ccNewsletter version before 2.2.2 to upgrade! You can download ccNewsletter 2.2.3 from our downloads section here. https://www.chillcreations.com/downloads/ccnewsletterreltabs-145-notes...
[20180504] - Core - Installer leaks plain text password to local user
The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen...
JS Support Ticket 1.1.0, ,XSS (Cross Site Scripting)
JS Support Ticket 1.1.0, ,XSS Cross Site Scripting UpdateNotice URL 1.1.1 http://www.joomsky.com/products/js-ticket-joomla.html...
[20180505] - Core - XSS Vulnerabilities & additional hardening
Inadequate input filtering leads to multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack...
JCE Editor,2.6.25, XSS (Cross Site Scripting)
JCE Editor Pro, Version 2.6.25 only, XSS Cross Site Scripting Resolution: update to 2.6.26 Update notice: https://www.joomlacontenteditor.net/news/jce-pro-2-6-26-released...
Simple Image Gallery (free) 3.5.0 and previous, XSS
Simple Image Gallery Freed by Joomlaworks, version 3.5.0 and previous, XSS Resolution: update to 3.6.0 Update notice: https://www.joomlaworks.net/blog/item/269-simple-image-gallery-free-v3-6-0-released-featuring-enhanced-print-previews-fixing-xss-vulnerability-related-to-print-page-output Note th...
[20180101] - Core - XSS vulnerability in module chromes
Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system...
[20180102] - Core - XSS vulnerability in com_fields
Inadequate input filtering in comfields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox...
cms2cms improper file/folder permissions
All these extensions create a folder with permissions 0777, which is not subsequently deleted. CMS2CMS: Automated Blogger to J! Migration CMS2CMS: Automated HTML to J! Migration CMS2CMS: Automated Drupal to J! Migration CMS2CMS: Automated WordPress to J! Migration CMS2CMS Automated WiX to J!...
En Masse, all versions, SQL Injection
En Masse by Matamko.com, all known versions, SQL Injection...
Easy Discuss, 4.0.20, XSS
Easy Discuss by Stackideas, versions 4.0.20 and previous, XSS Resolution: update to 4.0.21 update notice: https://stackideas.com/blog/easydiscuss4021-update...
Big File Uploader by Prismanet,1.0.2, Insecure File Upload
Big File Uploader by Prismanet, 1.0.2, Insecure File Upload...
JB Visa,1.0,SQL Injection
JB Visa by Joombooking.com, 1.0, SQL Injection...
User Bench 1.0, sql injection
User Bench by gegabyte.org, version 1.0, sql injection resolution: update to version 1.1 update notice: http://www.gegabyte.org/downloads/joomla-extensions/joomla3/components/307-user-bench...
Joomla Guru, SQL Injection
Joomla Guru by IJoomla, 5.0.15 and previous, SQL Injection resolution: update to 5.0.16 update notice: https://guru.ijoomla.com/changelog/237-guru-5-0-16...
[20181004] - Core - ACL Violation in com_users for the admin verification
In case that an attacker gets access to the mail account of an user who can approve admin verifications in the registration process he can activate himself...
My Projects,2.0,SQL Injection
My Projects,2.0,SQL Injection Resolution: update to version 2.1 Update notice: http://www.gegabyte.org/downloads/joomla-extensions/joomla3/components/292-my-projects...
Next Gen Editor,2.1.0,SQL Injection
Next Gen Editor, 2.1.0, SQL Injection and multiple other vulnerabilities resolution: update to version 2.2.0 update notice: http://nextgeneditor.com/index.php/en/support/forum/installation-issues/3957-new-security-release...
B2j Contact,2.0 and other,Other
B2j Contact,2.0 and other,Other Resolved by upgrading to 2.1.15...
JEXTN Question And Answer ,3.1.0,SQL Injection
JEXTN Question And Answer ,3.1.0,SQL Injection...
JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection
JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection...
JBuildozer,1.4.1,SQL Injection
JBuildozer,1.4.1,SQL Injection...
Virtuemart,3.2.4,XSS (Cross Site Scripting)
Virtuemart,3.2.4,XSS Cross Site Scripting Resolution: update to 3.2.6 update notice: http://virtuemart.net/news/482-virtuemart-3-2-6-security-release-and-overhauled-infrastructure...
[20180104] - Core - SQLi vulnerability in Hathor postinstall message
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message...
[20180103] - Core - XSS vulnerability in Uri class
Inadequate input filtering in the Uri class formerly JUri leads to a XSS vulnerability...
[20171102] - Core - 2-factor-authentication bypass
A bug allowed third parties to bypass a user's 2-factor-authentication method...
[20180509] - Core - XSS vulnerability in the media manager
Inadequate filtering of file and folder names lead to various XSS attack vectors in the media manager...
HDW Player,4.0.0, RCE
HDW Player,4.0.0 and all other versions, remote code execution Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that th...
JS Jobs,1.1.8, RCE
JS Jobs, 1.1.8, Remote code execution - includes free and pro versions resolution: update to 1.1.9 update notice: http://www.joomsky.com/products/js-jobs.html...
Google Maps by Reumer, 3.5, Malicious update
Google Maps by Reumer, from mapsplugin.com, version 3.5, malicious update Version 3.3 of this plugin is listed in the JED and appears to be clean. However once installed, the Joomla update manager prompts you to update this extension to a version 3.5 which is not officially published. This versio...
Ajax Quiz by Webkul,2.0,SQL Injection
Ajax Quiz by Webkul, 2.0 and previous, SQL Injection Resolution: update to version 2.1 Update notice: https://store.webkul.com/AjaxQuiz.html...
[20171101] - Core - LDAP Information Disclosure
Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password...
ZH Yandex Map, 6.1.1.0, SQL Injection
ZH Yandex Map, 6.1.1.0 and previous versions, SQL Injection Resolution: update to 6.2.0.0 Update notice: http://zhuk.cc/2017/10/05/zh-yandexmap-security-update/...
NS Download Shop, 2.2.6, SQL Injection
NS Download Shop, 2.2.6, SQL Injection Resolution: update to 2.2.8 Update notice: https://nswd.co/extensions/help-desk/security-release-v2-2-8...
Bargain Product VM3, 1.0, SQL Injection
Bargain Product VM3 by WebOrange, 1.0, SQL Injection...
Price Alert for Virtuemart,3.0.4,SQL Injection
Price Alert for Virtuemart by WebOrange, 3.0.4 and all previous, SQL Injection...