Chris Russell

**Name of the Vulnerable Software and Affected Versions** com techfolio version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `catid` parameter in the frontend/models/techfoliodetail.php file of the Techfolio component for Joomla!. **Recommendations** For version 1.0, avoid using the `catid` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the frontend/models/techfoliodetail.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** com vikrealestate version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `contract` parameter in a results action and the `imm` parameter in a show action to "index.php". **Recommendations** For version 1.0, consider restricting access to the vulnerable parameters `contract` and `imm` in the respective actions until a patch is available. Avoid using the `contract` parameter in the results action and the `imm` parameter in the show action to "index.php" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joomla! Barter Sites component version 1.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `category id` parameter in the `index.php` API endpoint. **Recommendations** For Joomla! Barter Sites component version 1.3, consider restricting access to the `index.php` endpoint until a patch is available, and avoid using the `category id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Barter Sites component version 1.3 for Joomla! **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via several parameters, including `listing title`, `description`, `homeurl`, `paystring`, `sell price`, `shipping cost`, and `quantity`, in the `com listing` component. This is achieved by sending malicious input to the "index.php" endpoint. **Recommendations** For Barter Sites component version 1.3, avoid using the vulnerable parameters `listing title`, `description`, `homeurl`, `paystring`, `sell price`, `shipping cost`, and `quantity` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.