--=REKLAMA=--
--=REKLAMA=--
Please check with the extension publisher in case of any questions over the security of their product.
Report Vulnerable extensions either in the jforum:432 security topic or the extensions topic clearly marked
Wszystkie znane rozszerzenia są wymienione w pierwszej kolumnie. Szczegóły w środkowej kolumnie (termin dodania jest w amerykańskim formacie mm/dd/yyyy). Link do informacji doradczej. Na końcu znajduje się link do zawiadomienia o każdej znanej aktualizacji.
Wykaz ten jest zestawiany na podstawie znalezionych informacji i nie może być traktowany jako bieżąca (dokładna) lista wszystkich luk w komponentach Joomla!
Wpisy nie są w "określonej" kolejności..
| Rozszerzenie | Poziom | Szczegóły | Referencje | Łatka |
|---|---|---|---|---|
| com_ajaxchat | Skrót: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
Opublikowano: october 28 2009 |
CVE-2009-3822 | aktualizacja v. 1.1 | |
| com_booklibrary |  |
PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Opublikowano: 10/28/2009 CVSS Severity: 7.5 |
CVE-2009-3817 | Nieznane |
| com_foobla_suggestions | |
Skrót: Podatność na wstrzykiwanie kodu SQL w komponencie Foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
Opublikowano: 10/11/2009 CVSS Severity: 7.5 |
CVE-2009-3669 | developer reported upgrade |
| com_djcatalog |  |
Skrót: Podatność na wielofazowy atak SQL w komponencie DJ-Catalog (com_djcatalog)... component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Opublikowano: 10/11/2009 CVSS Severity: 6.8 |
CVE-2009-3661 | Nieznane |
| com_cbresumebuilder | |
Skrót: Podatność na wstrzykiwanie kodu SQL w JoomlaCache CB Resume Builder ('com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
Opublikowano: 10/09/2009 CVSS Severity: 7.5 |
CVE-2009-3645 | Aktualizacja projektanta |
| com_soundset | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Opublikowano: 10/09/2009 CVSS Severity: 7.5 |
CVE-2009-3644 | Nieznane |
| com_sportfusion | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Opublikowano: 09/30/2009 CVSS Severity: 7.5 |
CVE-2009-3491 | Nieznane |
| com_icrmbasic | |
Skrót: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Opublikowano: 09/30/2009 CVSS Severity: 7.5 |
CVE-2009-3481 | Nieznane |
| com_mytube | |
Skrót: Podatność na wstrzykiwanie kodu SQL w MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Opublikowano: 09/28/2009 CVSS Severity: 7.5 |
CVE-2009-3446 | Nieznane |
| com_fastball | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.
Opublikowano: 09/28/2009 CVSS Severity: 7.5 |
CVE-2009-3443 | nowa wersja 1.2.1 |
| com_facebook | |
Skrót: Podatność na wstrzykiwanie kodu SQL w JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Opublikowano: 09/28/2009 CVSS Severity: 7.5 |
CVE-2009-3438 | Nieznane |
| com_tupinambis | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Opublikowano: 09/28/2009 CVSS Severity: 7.5 |
CVE-2009-3434 | Nieznane |
| com_idoblog | |
Skrót: Podatność na wstrzykiwanie kodu SQL w IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.
Opublikowano: 09/25/2009 CVSS Severity: 7.5 |
CVE-2009-3417 | Nowa wersja v. 1.1 (build 32) |
| com_hbssearch | |
Skrót: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Opublikowano: 09/24/2009 CVSS Severity: 4.3 |
CVE-2009-3368 | Nieznane |
| com_hbssearch | |
Skrót: Podatność na wielofazowy atak SQL w Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
Opublikowano: 09/24/2009 CVSS Severity: 7.5 |
CVE-2009-3357 | Nieznane |
| com_alphauserpoints | |
Skrót: Podatność na wstrzykiwanie kodu SQL w frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
Opublikowano: 09/24/2009 CVSS Severity: 7.5 |
CVE-2009-3342 | Nowe wydanie 1.5.3 |
| TurtuShout | |
Skrót: Podatność na wstrzykiwanie kodu SQL w TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Opublikowano: 09/24/2009 CVSS Severity: 7.5 |
CVE-2009-3335 | Nieznane |
| com_jinc | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Opublikowano: 09/23/2009 CVSS Severity: 7.5 |
CVE-2009-3334 | Nieznane |
| com_jbudgetsmagic | |
Skrót: Podatność na wstrzykiwanie kodu SQL w JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
Opublikowano: 09/23/2009 CVSS Severity: 7.5 |
CVE-2009-3332 | Nieznane |
| com_surveymanager | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Opublikowano: 09/23/2009 CVSS Severity: 7.5 |
CVE-2009-3325 | Nieznane |
| com_album | |
Skrót: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
Opublikowano: 09/23/2009 CVSS Severity: 7.5 |
[[1]] | Nieznane |
| com_jreservation | |
Skrót: Podatność na wstrzykiwanie kodu SQL w JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
Opublikowano: 09/23/2009 CVSS Severity: 7.5 |
CVE-2009-3316 | Nieznane |
| IXXO Cart Standalone | |
Skrót: Podatność na wstrzykiwanie kodu SQL w IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Opublikowano: 09/16/2009 CVSS Severity: 7.5 |
CVE-2009-3215 | Nieznane |
| com_digifolio | |
Skrót: Podatność na wstrzykiwanie kodu SQL w DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Opublikowano: 09/15/2009 CVSS Severity: 7.5 |
CVE-2009-3193 | Nieznane |
| com_aclassf | |
Skrót: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Opublikowano: 09/10/2009 CVSS Severity: 4.3 |
CVE-2009-3155 | Nieznane |
| com_aclassf | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than CVE-2009-2567.
Opublikowano: 09/10/2009 CVSS Severity: 7.5 |
CVE-2009-3154 | Nowszy komponent |
| com_jabode | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Opublikowano: 09/08/2009 CVSS Severity: 7.5 |
CVE-2008-7169 | Nieznane |
| com_gameserver | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Opublikowano: 09/03/2009 CVSS Severity: 7.5 |
CVE-2009-3063 | Nieznane |
| com_artportal | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Opublikowano: 09/03/2009 CVSS Severity: 7.5 |
CVE-2009-3054 | Nieznane |
| com_agora | |
Skrót: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
Opublikowano: 09/03/2009 CVSS Severity: 6.8 |
CVE-2009-3053 | 3.0.7 |
| com_simpleshop | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Opublikowano: 08/24/2009 CVSS Severity: 7.5 |
CVE-2008-7033 | Nieznane |
| com_groups | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Opublikowano: 08/17/2009 CVSS Severity: 7.5 |
CVE-2009-2789 | Nieznane |
| com_content | |
Skrót: Podatność na wstrzykiwanie kodu SQL w komponencie conten (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.
Opublikowano: 08/10/2009 CVSS Severity: 7.5 |
CVE-2008-6923 | Rozwiązanie |
| com_livechat | |
Skrót: Podatność na wstrzykiwanie kodu SQL w Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Opublikowano: 07/30/2009 CVSS Severity: 7.5 |
CVE-2008-6883 | Nieznane |
| com_livechat | |
Skrót: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Opublikowano: 07/30/2009 CVSS Severity: 7.5 |
CVE-2008-6882 | Nieznane |
| com_livechat | |
Skrót: Podatność na wielofazowy atak SQL Injection w Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.
Opublikowano: 07/30/2009 CVSS Severity: 7.5 |
CVE-2008-6881 | Nieznane |
| JUMI | There is a backdoor in JUMI that installs itself when JUMI is installed on your web site. It sends your credentials to a website, and sets up a back door for remote code execution.
Please remove JUMI2.0.5 from the download page immediately to stop people falling victim to this. It will be simple enough to remove the compromised code from this download, but you need to do a full security audit on your site as well as you have been compromised. Added November 2009 |
Zgłoszenie | Aktualizacja Jumi | |
| com_photoblog | Input Validation Error Added November 2009 | 36809 | webguerilla Photoblog alpha 3b | |
| com_jshop | |
Skrót: Podatność na wstrzykiwanie kodu SQL w JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Opublikowano: 11/02/2009 CVSS Severity: 7.5 |
CVE-2009-3835 | Nieznane |
| BF Survey Pro | Skrót: Podatność na wstrzykiwanie kodu SQL w BF Survey Pro v1.2.5 or lower (fixed in version 1.2.6). BF Survey Basic v1.0 (fixed in version 1.1). BF Quiz v1.1.1 (fixed in version 1.2 or greater) Added November 2009 | tamlyncreative.com.au | Aktualizacja | |
| Joo!BB 0.9.1 | Skrót: Persistent XSS/Podatność na wstrzykiwanie kodu SQL w Joo!BB 0.9.1 Added November 2009 | joob.org | Aktualizacja | |
| sh404sef | Skrót: sh404sef URI XSS Vulnerability Added November 2009 | jeffchannell.com | Aktualizacja | |
| AWD Wall 1.5 | Summary AWD Wall 1.5 Blind SQL Injection Vulnerability.The Joomla component AWD Wall 1.5 suffers from an SQL Injection vulnerability in its handling of the 'cbuser' parameter.Added November 2009 | Uwagi | Nieznane | |
| EasyBook 2.0.0rc4 | Skrót: The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit. Added November 2009 | Alert | Nieznane | |
| F!BB 1.5.96 | Skrót: The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature. Added November 2009 | Alert | Nieznane | |
| Testimonial Ku 2.0 Admin Panel | Skrót: The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email". Added November 2009 | Alert | Nieznane | |
| MS Comment 0.8.0b | Summary MS Comment 0.8.0b for Joomla, a commenting plugin, suffers from an multiple vulnerabilities. Added November 2009 | Alert | Nieznane | |
| !JoomlaComment 4.0 beta1 | Skrót: !JoomlaComment 4.0 beta1, a commenting plugin, suffers from multiple XSS vulnerabilities. Added November 2009 | Alert | Nieznane | |
| WebAmoeba Ticket System 3.0.0 | Skrót: WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags. Added November 2009 | Alert | Nieznane | |
| Kunena 1.5.x | Skrót: This is an important security release and users are urged to update immediately. Five security issues and an Internet Explorer 8 table bug have been resolved in this release. This release also contains many other important bug fixes. Added 18 November 2009 | Advisory | Nowsza wersja 1.5.8 | |
| com_siirler | Skrót: Podatność na wstrzykiwanie kodu SQL w Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. Added 18 November 2009 | CVE-2009-3972 | Nieznane | |
| jTips (com_jtips) | Skrót: Podatność na wstrzykiwanie kodu SQL w jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. Added 18 November 2009 | CVE-2009-3971 | Nieznane | |
| NinjaMonials | Skrót: Podatność na wstrzykiwanie kodu SQL w NinjaMonials (com_ninjacentral) component 1.1.0 for Joomla 1.0.x ! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php. Added 18 November 2009 | CVE-2009-3964 | Łatka projektanta v. 1.2 | |
| webee 1.1.1 &1.2 | Skrót: webee 1.1.1, a Joomla commenting plugin, suffers from multiple vulnerabilities. webee has been updated to 1.2 as of 12 November 2009 and still suffers from SQL Injection. XSS was not tested in 1.2. Added 19 November 2009 | jeffchannell.com | aktualizacja projektanta v. 2.0 | |
| iF Portfolio Nexus | Skrót: Podatność na wstrzykiwanie kodu SQL w komponencie dla Joomla iF Portfolio Nexus. A remote attacker could send specially-crafted SQL statements using the id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 | secunia.com 37408/ | w wydaniu Portfolio Nexus v1.1.1 | |
| JoomClip | Skrót: Podatność na wstrzykiwanie kodu SQL w komponencie dla Joomla JoomClip. A remote attacker could send specially-crafted SQL statements to the index.php script using the cat parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. Nov 18, 2009 | secunia.com 37400/ | Nieznane | |
| Joomla XML | Skrót: Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number, via a direct request.
Opublikowano: 11/16/2009 |
[| CVE-2009-3946] | Reolution | |
| Component mygallery Remote SQL Injection Vulnerability | Skrót: Joomla Component mygallery ( farbinform_krell) Podatność na zdalne wstrzykiwanie kodu SQL | [2] Added 27 Nov 2009 | Nieznane | |
| Google Calendar | Skrót: com_gcalendar 1.1.2 (gcid) Podatność na zdalne wstrzykiwanie kodu SQL
Remote SQL Injection were identified in Google Calendar Component Extension Link Added 27 Nov 2009 |
reference | Nieznane | |
| LyftenBloggie | Skrót: LyftenBloggie Component "author" SQL Injection Vulnerability LyftenBloggie 1.x Added 27 Nov 2009 | SA37499 | Un official fix. Developer fix not release at 30 Nov 09 Nieznane | |
List as discussed in jtopic:455746 by PhilD editing by Mandville