The JNews component was found to be vulnerable to SQL Injection affecting multiple pages.
CVE
- The AcyMailing component was vulnerable to SQL Injection on the export controller. This was another issue discovered by me, Filipe and Vitor while we were looking for low-hanging fruits in the TOP Joomla plugins.
- JEvents component was vulnerable to SQL Injection on new events functionality. This vulnerability was located inside the backoffice.
- This vulnerability was found in the JNews plugin and showed how we bypassed the file extension validation and how we discovered two diferent unrestricted file upload forms.
- Following the journey of targeting low-hanging fruits in Joomla plugins, this issue was discovered to pose Hikashop’s users to a low risk by allowing arbitrary JavaScript code being injected from the control panel.