Vulnerability List last 3 months from NVD - US Gov.
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Vulnerability List last 3 months from NVD - US Gov.
In light of discussions such as http://forum.joomla.org/viewtopic.php?f=432&t=411032 and http://forum.joomla.org/viewtopic.php?f=432&t=445638 among others, here is a list (kind of long - 38 results) of vulnerabilities to some 3rd party Joomla components discovered in the last 3 months. This data is from the National Vulnerability Database run by the US Government. http://web.nvd.nist.gov/view/vuln/search?cid=1
Results are from the vulnerability keyword search (above url) using joomla as the keyword. Results are from last 3 months. I included the summary of the vulnerability for each.
If you are using one of these affected components on your site, update it to the latest version or completely remove the component (and it's files) from your site if there is no update or patch.
CVE-2009-3822
Summary: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3817
Summary: PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3669
Summary: SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
Published: 10/11/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3661
Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009
CVSS Severity: 6.8 (MEDIUM)
CVE-2009-3645
Summary: SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3644
Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3491
Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3481
Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3480
Summary: SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3446
Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3443
Summary: SQL injection vulnerability in the Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3438
Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3434
Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3417
Summary: SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.
Published: 09/25/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3368
Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009
CVSS Severity: 4.3 (MEDIUM)
CVE-2009-3357
Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3342
Summary: SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3335
Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3334
Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3332
Summary: SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3325
Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3318
Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3316
Summary: SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3215
Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3193
Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3155
Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009
CVSS Severity: 4.3 (MEDIUM)
CVE-2009-3154
Summary: SQL injection vulnerability in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than CVE-2009-2567.
Published: 09/10/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-7169
Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3063
Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3054
Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3053
Summary: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
Published: 09/03/2009
CVSS Severity: 6.8 (MEDIUM)
CVE-2008-7033
Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-2789
Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-2782
Summary: SQL injection vulnerability in the JFusion (com_jfusion) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
Published: 08/17/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6923
Summary: SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.
Published: 08/10/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6883
Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6882
Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6881
Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
Results are from the vulnerability keyword search (above url) using joomla as the keyword. Results are from last 3 months. I included the summary of the vulnerability for each.
If you are using one of these affected components on your site, update it to the latest version or completely remove the component (and it's files) from your site if there is no update or patch.
CVE-2009-3822
Summary: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3817
Summary: PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3669
Summary: SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
Published: 10/11/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3661
Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009
CVSS Severity: 6.8 (MEDIUM)
CVE-2009-3645
Summary: SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3644
Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3491
Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3481
Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3480
Summary: SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3446
Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3443
Summary: SQL injection vulnerability in the Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3438
Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3434
Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3417
Summary: SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.
Published: 09/25/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3368
Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009
CVSS Severity: 4.3 (MEDIUM)
CVE-2009-3357
Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3342
Summary: SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3335
Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3334
Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3332
Summary: SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3325
Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3318
Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3316
Summary: SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3215
Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3193
Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3155
Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009
CVSS Severity: 4.3 (MEDIUM)
CVE-2009-3154
Summary: SQL injection vulnerability in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than CVE-2009-2567.
Published: 09/10/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-7169
Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3063
Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3054
Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3053
Summary: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
Published: 09/03/2009
CVSS Severity: 6.8 (MEDIUM)
CVE-2008-7033
Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-2789
Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-2782
Summary: SQL injection vulnerability in the JFusion (com_jfusion) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
Published: 08/17/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6923
Summary: SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.
Published: 08/10/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6883
Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6882
Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
CVE-2008-6881
Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
PhilD
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
w00t, I am responsible for finding CVE-2009-3342, CVE-2009-3335, CVE-2008-6883, CVE-2008-6882, and CVE-2008-6881 !!
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- fw116
- Joomla! Ace
- Posts: 1373
- Joined: Tue Sep 06, 2005 11:18 am
- Location: Germany
Re: Vulnerability List last 3 months from NVD - US Gov.
a real impressive list...
damn, i like my mod_security ....
damn, i like my mod_security ....
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
fw116: only if your filters account for the attack vector.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- fw116
- Joomla! Ace
- Posts: 1373
- Joined: Tue Sep 06, 2005 11:18 am
- Location: Germany
Re: Vulnerability List last 3 months from NVD - US Gov.
well my brother always calls me mister paranoia(nothing allowed so far ) , so i guess the filters are on trackjeffchannell wrote:fw116: only if your filters account for the attack vector.
- Hazzaa
- Joomla! Explorer
- Posts: 342
- Joined: Fri Nov 24, 2006 6:13 pm
Re: Vulnerability List last 3 months from NVD - US Gov.
FYI, Agora has been fixed. We also released a news announcement in reference to the attack
Good list by the way
Good list by the way
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
Yes, I see that it is on the Extensions site. http://extensions.joomla.org/extensions ... forum/1891
Thanks for the update
Thanks for the update
PhilD
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
@Hazzaa - I take it you guys fixed those other XSS issues I sent you re: 3.0.06?
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- Hazzaa
- Joomla! Explorer
- Posts: 342
- Joined: Fri Nov 24, 2006 6:13 pm
Re: Vulnerability List last 3 months from NVD - US Gov.
When did you send?please email me. There is nothing I am aware of but would be great to know
- Hazzaa
- Joomla! Explorer
- Posts: 342
- Joined: Fri Nov 24, 2006 6:13 pm
Re: Vulnerability List last 3 months from NVD - US Gov.
Thanks Jeff I just saw the PM now. Reply sent
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
I PMed you here on the J! forums, actually... PM me your email
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
I have fiddled the list provided by Jeff with a few more and its currently in a construction page, before i merge it with the existing list.
(sensible) Comments please.
http://docs.joomla.org/Vulnerable_Extensions_List_oct
Hazza, is 3.0.7 the current unvulnberable version?
Edit to highlight the word construction
(sensible) Comments please.
http://docs.joomla.org/Vulnerable_Extensions_List_oct
Hazza, is 3.0.7 the current unvulnberable version?
Edit to highlight the word construction
Last edited by mandville on Fri Nov 06, 2009 3:21 pm, edited 1 time in total.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Hazzaa
- Joomla! Explorer
- Posts: 342
- Joined: Fri Nov 24, 2006 6:13 pm
Re: Vulnerability List last 3 months from NVD - US Gov.
Jeff PM'ed me something that I still need to test. I have not confirmed this as of yet but will very in the next day or so. If it is in fact an issue, we will have it fixed tomorrow. We begin on it today
- Hazzaa
- Joomla! Explorer
- Posts: 342
- Joined: Fri Nov 24, 2006 6:13 pm
Re: Vulnerability List last 3 months from NVD - US Gov.
Sorry, the one you have listed on the linked page was resolved in Agora 3.0.01 Stable. We are now at 3.0.07 (as you know)
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
thanks.. i will update after your feedback with PhilD & Jeff..Hazzaa wrote:Sorry, the one you have listed on the linked page was resolved in Agora 3.0.01 Stable. We are now at 3.0.07 (as you know)
let me know and ill alter it, and the other info in there is current i believe. I have updated the link to point to the 3.0.7 download
edit to correct credits! (grovel)
Last edited by mandville on Wed Nov 04, 2009 6:28 pm, edited 1 time in total.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
Good job fiddling with the list Mandville! Easy to read.
PhilD
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
and to be added today
CVE-2009-3835
Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3835
Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009
CVSS Severity: 7.5 (HIGH)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
I would like to clear up some very obvious confusions that seem to be causing panic across the Joomla community by people who don't read the whole topic.
PhilD compiled the list, i just reformatted it.
Likewise, i am not responsible for the list existing in the first place, all the information is out there on the web in PD.
I have rights on the docs.joomla.org pages to create articles and took the list and reformatted it for ease of use.
The page that i linked to earlier, despite having several Under Construction notices on it, has been taken as gospel by some people.
On this UNDER CONSTRUCTION PAGE there is a resolution column, where, if found or notified the resolution links will be placed.
I have been asked to remove some links to fixed vulnerabilities, some i have done or marked as resolved. However, the basis that a developer has fixed an issue doesn't mean a user has updated the software so i do not plan to remove the item for a good while after the issue is reported.
Also the fact that some of these users have been running to different forums posting scare stories or questions extension developers without checking this topic, the list instructions, or anything else first (like their own extension version number) is quite worrying. It has also been mentioned that the list is confusing. Can some one expand that point and explain how/why it is confusing?
I would like to thank the developers so far who have either responded in this post or contacted me to say the vulnerabilities were fixed.
P.S
And most people would a> not have taken this on, B> dropped it at the first sign of criticism
PhilD compiled the list, i just reformatted it.
Likewise, i am not responsible for the list existing in the first place, all the information is out there on the web in PD.
I have rights on the docs.joomla.org pages to create articles and took the list and reformatted it for ease of use.
The page that i linked to earlier, despite having several Under Construction notices on it, has been taken as gospel by some people.
On this UNDER CONSTRUCTION PAGE there is a resolution column, where, if found or notified the resolution links will be placed.
I have been asked to remove some links to fixed vulnerabilities, some i have done or marked as resolved. However, the basis that a developer has fixed an issue doesn't mean a user has updated the software so i do not plan to remove the item for a good while after the issue is reported.
Also the fact that some of these users have been running to different forums posting scare stories or questions extension developers without checking this topic, the list instructions, or anything else first (like their own extension version number) is quite worrying. It has also been mentioned that the list is confusing. Can some one expand that point and explain how/why it is confusing?
I would like to thank the developers so far who have either responded in this post or contacted me to say the vulnerabilities were fixed.
P.S
And most people would a> not have taken this on, B> dropped it at the first sign of criticism
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Hazzaa
- Joomla! Explorer
- Posts: 342
- Joined: Fri Nov 24, 2006 6:13 pm
Re: Vulnerability List last 3 months from NVD - US Gov.
This will always happen mandville
Keep up the good work.
I sent an email to all my members but out of almost 150,000 downloads, I have a total of 8,000 members. I am quite sure I could not reach them all.
This will help spread the news
One thing you may want to consider is the far right column with the link to the fixed version is used the word "Fix" or "Download Fix"
This may help those that don't look, don't read and jump the gun to better understand that they can resolve the issue.
However you will still have a huge amount that will look at the first column and spread the news from there
Keep up the good work.
I sent an email to all my members but out of almost 150,000 downloads, I have a total of 8,000 members. I am quite sure I could not reach them all.
This will help spread the news
One thing you may want to consider is the far right column with the link to the fixed version is used the word "Fix" or "Download Fix"
This may help those that don't look, don't read and jump the gun to better understand that they can resolve the issue.
However you will still have a huge amount that will look at the first column and spread the news from there
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
As mandville has said I am the original compiler of the listings. She just formatted and incorporated the data onto the Joomla documentation site in such a way that it is easier to read and update. The vulnerable list mandville is revamping has been around for years, though we all tend to forget about it.
I applaud mandville for taking this project on, revamping the list and making the list more user friendly.
Comments::
While I like the idea of listing the current version of the product in the Resolved column, in the long run it may require less list maintenance if the words Get Newest Version or Get Update is used.
One other suggestion I would have is to make a perma link at the top of the security forum directly to the list.
Now to address some concerns that have been brought up about the data and the list.
There has been some concern the list is a scare tactic and may shy some people away who would otherwise use the component from installing and using it or create a flurry of posts on these forums and forums elsewhere about a problem that may have been corrected in a later version and does not exist anymore.
There also has been some concern that some of the listed data recently posted is old and that the component in question has had several revisions since the revision in question and should not have been listed.
The list was compiled from a public database and based on current listed data as of October 30, 2009. All summaries include the publish date to the Government database. I.E. when it was published publicly in the government database. This date has been included in the vulnerable component list.
Not all of the list came from me. With any listing there is a possibility of the data being somewhat dated because of the process involved in verifying the vulnerability. I do not know the time frame of this verification process, but the listed component versions did have an issue that was verified to get on the list in the first place. This includes beta versions of components if someone submitted the version.
I don't think that having a list of components that have a vulnerable version is a scare tactic especially when the information is already in the public domain.
I did say "If you are using one of these affected components on your site, update it to the latest version or completely remove the component (and it's files) from your site if there is no update or patch." I think that statement is a responsible and true statement. I did not make (nor was I accused of doing so) the forum post requesting removal of a particular component that was posted in a warning type format, but I am sure it did get peoples attention by way it was worded. I do think it is still policy that when informed and verified the extension site administrators
will remove the affected version of the extension.
The reason?
CMS users in general tend to install and forget until the site gets hacked. Many are inexperienced and know little about where to find reasonably good information to help them with an issue. It is good that the end user of a component becomes concerned, but I agree that many of those users will not check their version before posting to see if the version they are using is actually affected. Not much can be done about that though.
I don't think vulnerable versions of a component should be excluded or removed immediately from the list just because they are several versions older then current. Many do not keep their installs and components updated and I think the listed versions of the components should remain listed for awhile so we can refer people to check their versions against the list.
Removal after some predetermined time that can be agreed on here would be ok with me. I would suggest an average of 6 months. Remember a link, where available, is being provided to the latest version from the vulnerability listing.
I do hope developers will look over the list and provide a link to their newest component version if the issue with a component version has been resolved.
I applaud mandville for taking this project on, revamping the list and making the list more user friendly.
Comments::
While I like the idea of listing the current version of the product in the Resolved column, in the long run it may require less list maintenance if the words Get Newest Version or Get Update is used.
One other suggestion I would have is to make a perma link at the top of the security forum directly to the list.
Now to address some concerns that have been brought up about the data and the list.
There has been some concern the list is a scare tactic and may shy some people away who would otherwise use the component from installing and using it or create a flurry of posts on these forums and forums elsewhere about a problem that may have been corrected in a later version and does not exist anymore.
There also has been some concern that some of the listed data recently posted is old and that the component in question has had several revisions since the revision in question and should not have been listed.
The list was compiled from a public database and based on current listed data as of October 30, 2009. All summaries include the publish date to the Government database. I.E. when it was published publicly in the government database. This date has been included in the vulnerable component list.
Not all of the list came from me. With any listing there is a possibility of the data being somewhat dated because of the process involved in verifying the vulnerability. I do not know the time frame of this verification process, but the listed component versions did have an issue that was verified to get on the list in the first place. This includes beta versions of components if someone submitted the version.
I don't think that having a list of components that have a vulnerable version is a scare tactic especially when the information is already in the public domain.
I did say "If you are using one of these affected components on your site, update it to the latest version or completely remove the component (and it's files) from your site if there is no update or patch." I think that statement is a responsible and true statement. I did not make (nor was I accused of doing so) the forum post requesting removal of a particular component that was posted in a warning type format, but I am sure it did get peoples attention by way it was worded. I do think it is still policy that when informed and verified the extension site administrators
will remove the affected version of the extension.
The reason?
CMS users in general tend to install and forget until the site gets hacked. Many are inexperienced and know little about where to find reasonably good information to help them with an issue. It is good that the end user of a component becomes concerned, but I agree that many of those users will not check their version before posting to see if the version they are using is actually affected. Not much can be done about that though.
I don't think vulnerable versions of a component should be excluded or removed immediately from the list just because they are several versions older then current. Many do not keep their installs and components updated and I think the listed versions of the components should remain listed for awhile so we can refer people to check their versions against the list.
Removal after some predetermined time that can be agreed on here would be ok with me. I would suggest an average of 6 months. Remember a link, where available, is being provided to the latest version from the vulnerability listing.
I do hope developers will look over the list and provide a link to their newest component version if the issue with a component version has been resolved.
PhilD
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
I say keep it, and preach it loud. If we try to downplay security risks, we're burying our heads in the sand.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
OK, if there are no other useful comments, then i will make the list currently at http://docs.joomla.org/index.php?title= ... s_List_oct the active one. i will request the page is moved to an active state to replace the existing OOD page.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
ok thanks to Dave,
the new "oct" list is now at http://docs.joomla.org/Vulnerable_Extensions_List
and the original old one is now at http://docs.joomla.org/Vulnerable_Exten ... (Archived)
i suppose that i will set up a new topic announcement for it.
the new "oct" list is now at http://docs.joomla.org/Vulnerable_Extensions_List
and the original old one is now at http://docs.joomla.org/Vulnerable_Exten ... (Archived)
i suppose that i will set up a new topic announcement for it.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- geekhead
- Joomla! Intern
- Posts: 83
- Joined: Mon May 21, 2007 2:44 am
- Location: Connecticut USA
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
in the original post Joomlacache was listed
the resume component was updated and secured within four days and the new version was made available immediately.
any one with a valid subscription, even if it has expired, is eligible to get the latest secured version.
FYI: we are also being removed from the IBM vulnerability list, that should happen in a day or so.
the resume component was updated and secured within four days and the new version was made available immediately.
any one with a valid subscription, even if it has expired, is eligible to get the latest secured version.
FYI: we are also being removed from the IBM vulnerability list, that should happen in a day or so.
Joomla Extensions Development http://www.madeforjoomla.com and website help at http://www.911websiterepair.com
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
I have updated the vulnerable list to include the fix for the joomlacache extension
thanks for the report
thanks for the report
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
several more extensions have been added to the list, and some resolved. please visit it NOW.
thanks
thanks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- mark_up
- Joomla! Guru
- Posts: 849
- Joined: Sun Oct 29, 2006 10:51 am
- Location: Fiji
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
Hi mandville,
Thanks for maintaining the list.
Could you please add this link to a patch for the NinjaMonials 1.1 vulnerability.
Also, can we discuss why the date mentioned is "18 November 2009"?
The vulnerability was discovered in the deprecated version of NinjaMonials for Joomla 1.0. This discovery was made over three months ago, in August. A fix was released within 12hrs. Why not list the date of the original discovery (24/08/09). A correct date for both the vulnerability and the fix will more accurately reflect the current status of the extension as well as show how seriously (or not) the developers take security.
I would suggest also making it clear whether the vulnerable extension is for J1.0 or J1.5. Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website, yet your listing doesn't explicitly state that only the J1.0 version was vulnerable. No J1.5 version of Ninjamonials has ever been found vulnerable.
Anyway, just wanted to post my thoughts. I would at the very least just like a link to the patched version added to your table.
Thanks
Mark
Thanks for maintaining the list.
Could you please add this link to a patch for the NinjaMonials 1.1 vulnerability.
Also, can we discuss why the date mentioned is "18 November 2009"?
The vulnerability was discovered in the deprecated version of NinjaMonials for Joomla 1.0. This discovery was made over three months ago, in August. A fix was released within 12hrs. Why not list the date of the original discovery (24/08/09). A correct date for both the vulnerability and the fix will more accurately reflect the current status of the extension as well as show how seriously (or not) the developers take security.
I would suggest also making it clear whether the vulnerable extension is for J1.0 or J1.5. Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website, yet your listing doesn't explicitly state that only the J1.0 version was vulnerable. No J1.5 version of Ninjamonials has ever been found vulnerable.
Anyway, just wanted to post my thoughts. I would at the very least just like a link to the patched version added to your table.
Thanks
Mark
Last edited by mark_up on Fri Nov 27, 2009 4:29 am, edited 1 time in total.
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
Hi I will break this into parts for ease of response if thats ok.
We also try to only list security advisory sites that don't have the download-able exploit to prevent other sites being "done over" as it were.
ps
Thats ok, someone has to do it, there is a little team of us, im just the face of it.Thanks for maintaining the list.
Done with the new version number notedCould you please add to a patch for the NinjaMonials 1.1 vulnerability.
That was the date it was addded to the list, not the date of find or notificationAlso, can we discuss why the date mentioned is "18 November 2009"?
I have added to make it clear the Joomla verion it was forI would suggest also making it clear whether the vulnerable extension is for J1.0 or J1.5.
want to bet on that?!Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website,
Great to hear that on all countsNo J1.5 version of Ninjamonials has ever been found vulnerable.
we welcome all comments in an attempt to improve the list and hope/wish that some of the other dev's are as on the ball as you.Anyway, just wanted to post my thoughts. I would at the very least just like a link to the patched version added to your table.
We also try to only list security advisory sites that don't have the download-able exploit to prevent other sites being "done over" as it were.
ps
GollumX wrote:Hi Mandy,[/code]
Sorry, I am not "Mandy" or any variation of Mandville
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- mark_up
- Joomla! Guru
- Posts: 849
- Joined: Sun Oct 29, 2006 10:51 am
- Location: Fiji
- Contact:
Re: Vulnerability List last 3 months from NVD - US Gov.
OMG for a split second as I was typing I wondered whether I was getting your name wrong. No idea why but I was almost certain that I had read either you call yourself or someone else call you Mandy somewhere else on this forum.
Sorry about that.
Thanks for the quick response
Thanks again
-Mark
Sorry about that.
Thanks for the quick response
I shall decline this betmandville wrote:want to bet on that?!Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website
Thanks again
-Mark
Last edited by mark_up on Fri Nov 27, 2009 3:09 am, edited 1 time in total.
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Vulnerability List last 3 months from NVD - US Gov.
apart from the other matter, (edit as needed) was everything else ok and a little clearer for everyone?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}