Pubblichiamo di seguito la lista delle estensioni per Joomla di terze parti risultate vulnerabili.
Questa lista è un feed RSS preso direttamente dal sito di Joomla.
Joomla! Vulnerable Extensions List
-
JEVents, 3.6.87, SQL Injection
JEVents, 3.6.87, 3rd party extension, SQL Injection
Update via developer website -
osTicky2, , Other
osTicky2, , 3rd party extension, Other
abandoned - remove from site -
EasyShop, 1.4.1, XSS (Cross Site Scripting)
EasyShop, 1.4.1, 3rd party extension, XSS (Cross Site Scripting)
-
LivingWord, , XSS (Cross Site Scripting)
LivingWord, , 3rd party extension, XSS (Cross Site Scripting)
-
Plugin Creative Gallery , , SQL Injection
Plugin Creative Gallery , , 3rd party extension, SQL Injection
-
Proforms Basic via sort_order parameter, , SQL Injection
Proforms Basic via sort_order parameter, , 3rd party extension, SQL Injection
-
EXTPLORER, 2.1.15, XSS (Cross Site Scripting)
EXTPLORER, 2.1.15, 3rd party extension, XSS (Cross Site Scripting)
-
LM-CUSTOM-ADMIN, , Other
LM-CUSTOM-ADMIN, , 3rd party extension, Other
-
admirror gallery, , XSS (Cross Site Scripting)
admirror gallery, , 3rd party extension, XSS (Cross Site Scripting)
-
Proforms Basic Joomla Module, , Other
Proforms Basic Joomla Module, , 3rd party extension, Other
-
acymailing, pre 8.7.0 , Other
acymailing, , 3rd party extension, Other multiple
https://www.acymailing.com/acymailing-release-security-%f0%9f%94%90-news-updates/ -
Admiror Gallery, , XSS (Cross Site Scripting)
Admiror Gallery, , 3rd party extension, XSS (Cross Site Scripting)
-
one vote, 1.7, XSS (Cross Site Scripting)
one vote, 1.7, 3rd party extension, XSS (Cross Site Scripting)
-
JKassa, 2.0.0, SQL Injection
JKassa, 2.0.0, 3rd party extension, SQL Injection
Update to latest version https://jkassa.com/en/extensions/jkassa.html
-
YooRecipe, All, SQL Injection
YooRecipe, All, 3rd party extension, SQL Injection
-
publisher, 3.0.19, XSS (Cross Site Scripting)
publisher, 3.0.19, 3rd party extension, XSS (Cross Site Scripting)
-
paGO Commerce, 2.5.9.0, SQL Injection
paGO Commerce, 2.5.9.0, 3rd party extension, SQL Injection
-
Social Chat, 1.5 and Below, SQL Injection Iacopo Guarneri
Social Chat, 1.5 and Below, 3rd party extension, SQL Injection Iacopo Guarneri
-
hwdplayer,4.2,SQL Injection
hwdplayer,4.2,SQL Injection
Possible abandonware also -
Rapicode, Multiple Extensions, Back Door
Rapicode, nultiple extensions, current versions, back door
Extensions affected are:-
- Rapi Content Ticker
- Rapi Content Carousel
- Rapi Cookie Consent
- Rapi Countdown
- Rapi Preloader
- Rapi Loading Progress Bar
- Rapi Page Animate
At the moment the back door seems to be loading mining code, it can be used to load arbitrary scripts or other content from the developer's site.
We suggest that the extensions be treated as malicious and uninstalled.
Note that their other extensions may be affected too, we have not had the opportunity to test them all. If you are using them we suggest checking the code for any curl request to cdn.rapicode.com, or using your browser tools to check for any unexpected scripts being loaded.
-
Google Map Landkarten,4.2.3,SQL Injection
Google Map Landkarten from joomla-24.de, versions 4.2.3 and previous, SQL Injection
-
Fastball, SQL Injection
Fastball by Fastball Productions, versions yet to be determined but probably all, SQL Injection
-
File Download Tracker,3.0,SQL Injection
File Download Tracker by techsolsystem.com, 3.0, SQL Injection
-
SquadManagement,1.0.3,SQL Injection
SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection
-
JMS Music,1.1.1,SQL Injection
JMS Music by Joomasters, versions 1.1.1 and previous, SQL Injection
Commenti offerti da CComment