04 Marzo 2021

• publisher, 3.0.19, XSS (Cross Site Scripting)

  publisher, 3.0.19, 3rd party extension, XSS (Cross Site Scripting)

• paGO Commerce, 2.5.9.0, SQL Injection

  paGO Commerce, 2.5.9.0, 3rd party extension, SQL Injection

• Social Chat, 1.5 and Below, SQL Injection Iacopo Guarneri

  Social Chat, 1.5 and Below, 3rd party extension, SQL Injection Iacopo Guarneri

• hwdplayer,4.2,SQL Injection

  hwdplayer,4.2,SQL Injection
  
  Possible abandonware also

• Rapicode, Multiple Extensions, Back Door

  Rapicode, nultiple extensions, current versions, back door

  Extensions affected are:-

  • Rapi Content Ticker
  • Rapi Content Carousel
  • Rapi Cookie Consent
  • Rapi Countdown
  • Rapi Preloader
  • Rapi Loading Progress Bar
  • Rapi Page Animate

  At the moment the back door seems to be loading mining code, it can be used to load arbitrary scripts or other content from the developer's site.

  We suggest that the extensions be treated as malicious and uninstalled.

  Note that their other extensions may be affected too, we have not had the opportunity to test them all. If you are using them we suggest checking the code for any curl request to cdn.rapicode.com, or using your browser tools to check for any unexpected scripts being loaded.

• Google Map Landkarten,4.2.3,SQL Injection

  Google Map Landkarten from joomla-24.de, versions 4.2.3 and previous, SQL Injection

• Fastball, SQL Injection

  Fastball by Fastball Productions, versions yet to be determined but probably all, SQL Injection

• File Download Tracker,3.0,SQL Injection

  File Download Tracker by techsolsystem.com, 3.0, SQL Injection

• SquadManagement,1.0.3,SQL Injection

  SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection

• JMS Music,1.1.1,SQL Injection

  JMS Music by Joomasters, versions 1.1.1 and previous, SQL Injection

• JS Autoz ,1.0.9,SQL Injection

  JS Autoz by Joomsky.com, 1.0.9 and previous, SQL Injection

• Realpin,1.5.04,SQL Injection

  Realpin by Marcel Törpe, versions 1.5.04 and previous, SQL Injection

• Joomla! Pinterest Clone Social Pinboard,2.0,SQL Injection

  Joomla! Pinterest Clone Social Pinboard from apptha.com, 2.0, multiple SQL Injection vulnerabilities

• Saxum Picker, 3.2.10, SQL Injection

  Saxum Picker, vesions 3.2.10 and previous, SQL Injection

• Saxum Numerology, 3.0.4, SQL Injection

  Saxum Numerology, versions 3.0.4 and previous, SQL Injection

• Saxum Astro, 4.0.14, SQL Injection

  Saxum Astro, versions 4.0.14 and previous, SQL Injection

• En Masse, all versions, SQL Injection

  En Masse by Matamko.com, all known versions, SQL Injection

• JB Visa,1.0,SQL Injection

  JB Visa by Joombooking.com, 1.0, SQL Injection

• Big File Uploader by Prismanet,1.0.2, Insecure File Upload

  Big File Uploader by Prismanet, 1.0.2, Insecure File Upload

• JEXTN Question And Answer ,3.1.0,SQL Injection

  JEXTN Question And Answer ,3.1.0,SQL Injection

• JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection

  JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection

• JBuildozer,1.4.1,SQL Injection

  JBuildozer,1.4.1,SQL Injection

• HDW Player,4.0.0, RCE

  HDW Player,4.0.0 and all other versions, remote code execution

  Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that this extension should be regarded as malicious and should be permanently removed from any site using it.

• Google Maps by Reumer, 3.5, Malicious update

  Google Maps by Reumer, from mapsplugin.com, version 3.5, malicious update

  Version 3.3 of this plugin is listed in the JED and appears to be clean. However once installed, the Joomla update manager prompts you to update this extension to a version 3.5 (which is not officially published). This version contains hidden backlinks and potential backdoor, with tracking information about the website running the plugin and user.

• Bargain Product VM3, 1.0, SQL Injection

  Bargain Product VM3 by WebOrange, 1.0, SQL Injection