Lista di estensioni di Joomla vulnerabili

JKassa, 2.0.0, 3rd party extension, SQL Injection

Update to latest version https://jkassa.com/en/extensions/jkassa.html

YooRecipe, All, 3rd party extension, SQL Injection

publisher, 3.0.19, 3rd party extension, XSS (Cross Site Scripting)

paGO Commerce, 2.5.9.0, 3rd party extension, SQL Injection

Social Chat, 1.5 and Below, 3rd party extension, SQL Injection Iacopo Guarneri

hwdplayer,4.2,SQL Injection

Possible abandonware also

Rapicode, nultiple extensions, current versions, back door

Extensions affected are:-

• Rapi Content Ticker
• Rapi Content Carousel
• Rapi Cookie Consent
• Rapi Countdown
• Rapi Preloader
• Rapi Loading Progress Bar
• Rapi Page Animate

At the moment the back door seems to be loading mining code, it can be used to load arbitrary scripts or other content from the developer's site.

We suggest that the extensions be treated as malicious and uninstalled.

Note that their other extensions may be affected too, we have not had the opportunity to test them all. If you are using them we suggest checking the code for any curl request to cdn.rapicode.com, or using your browser tools to check for any unexpected scripts being loaded.

Google Map Landkarten from joomla-24.de, versions 4.2.3 and previous, SQL Injection

Fastball by Fastball Productions, versions yet to be determined but probably all, SQL Injection

File Download Tracker by techsolsystem.com, 3.0, SQL Injection

SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection

JMS Music by Joomasters, versions 1.1.1 and previous, SQL Injection

JS Autoz by Joomsky.com, 1.0.9 and previous, SQL Injection

Realpin by Marcel Törpe, versions 1.5.04 and previous, SQL Injection

Joomla! Pinterest Clone Social Pinboard from apptha.com, 2.0, multiple SQL Injection vulnerabilities

Saxum Picker, vesions 3.2.10 and previous, SQL Injection

Saxum Numerology, versions 3.0.4 and previous, SQL Injection

Saxum Astro, versions 4.0.14 and previous, SQL Injection

En Masse by Matamko.com, all known versions, SQL Injection

JB Visa by Joombooking.com, 1.0, SQL Injection

Big File Uploader by Prismanet, 1.0.2, Insecure File Upload

JEXTN Question And Answer ,3.1.0,SQL Injection

JEXTN Video Gallery 3.0.5 - SQL Injection, 3.0.5 ,SQL Injection

JBuildozer,1.4.1,SQL Injection

HDW Player,4.0.0 and all other versions, remote code execution

Note that this vulnerabilitiy was supposedly fixed by the developer in version 3.2.2, the fact that this issue has arisen again suggests that the developer is aware of it and has created a deliberate back door. The VEL believe that this extension should be regarded as malicious and should be permanently removed from any site using it.