publisher, 3.0.19, 3rd party extension, XSS (Cross Site Scripting)
paGO Commerce, 2.5.9.0, 3rd party extension, SQL Injection
Social Chat, 1.5 and Below, 3rd party extension, SQL Injection Iacopo Guarneri
hwdplayer,4.2,SQL Injection
Possible abandonware also
Rapicode, nultiple extensions, current versions, back door
Extensions affected are:-
At the moment the back door seems to be loading mining code, it can be used to load arbitrary scripts or other content from the developer's site.
We suggest that the extensions be treated as malicious and uninstalled.
Note that their other extensions may be affected too, we have not had the opportunity to test them all. If you are using them we suggest checking the code for any curl request to cdn.rapicode.com, or using your browser tools to check for any unexpected scripts being loaded.
Google Map Landkarten from joomla-24.de, versions 4.2.3 and previous, SQL Injection
Fastball by Fastball Productions, versions yet to be determined but probably all, SQL Injection
File Download Tracker by techsolsystem.com, 3.0, SQL Injection
SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection
JMS Music by Joomasters, versions 1.1.1 and previous, SQL Injection
JS Autoz by Joomsky.com, 1.0.9 and previous, SQL Injection
Realpin by Marcel Törpe, versions 1.5.04 and previous, SQL Injection
Joomla! Pinterest Clone Social Pinboard from apptha.com, 2.0, multiple SQL Injection vulnerabilities
Saxum Picker, vesions 3.2.10 and previous, SQL Injection
Saxum Numerology, versions 3.0.4 and previous, SQL Injection
Saxum Astro, versions 4.0.14 and previous, SQL Injection
En Masse by Matamko.com, all known versions, SQL Injection
JB Visa by Joombooking.com, 1.0, SQL Injection
Big File Uploader by Prismanet, 1.0.2, Insecure File Upload
JEXTN Question And Answer ,3.1.0,SQL Injection
JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection
JBuildozer,1.4.1,SQL Injection
HDW Player,4.0.0 and all other versions, remote code execution
Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that this extension should be regarded as malicious and should be permanently removed from any site using it.
Google Maps by Reumer, from mapsplugin.com, version 3.5, malicious update
Version 3.3 of this plugin is listed in the JED and appears to be clean. However once installed, the Joomla update manager prompts you to update this extension to a version 3.5 (which is not officially published). This version contains hidden backlinks and potential backdoor, with tracking information about the website running the plugin and user.
Bargain Product VM3 by WebOrange, 1.0, SQL Injection